A serious vulnerability has been patched in forum software made by vBulletin that could allow attackers to scan servers hosting the package and possibly execute arbitrary code.
Researcher Dawid Golunski of Legal Hackers privately disclosed the vulnerability, which was patched Aug. 5 in versions 3.8.9 (and 3.8.10 beta), 4.2.3 (and 4.2.4 beta), and 5.2.3 of vBulletin. He also developed a proof-of-concept exploit that was disclosed as well.
Golunski said the server-side request forgery vulnerability he discovered allows attackers to remotely access internal services such as mail servers or the memcached memory caching system, as well as other services on the local network such as the Zabbix Agent monitoring service, he said in an advisory.
“Generally speaking, the SSRF vulnerability in vBulletin can be exploited easily by unauthenticated attackers,” Golunski told Threatpost. “The severity depends on available internal services on the target (as well as its network) hosting a vBulletin forum that an attacker could connect to by abusing the vulnerability.”
Golunski’s proof-of-concept exploit scans internal services and leads to information disclosure, he said. vBulletin said its software is used by more than 40,000 online communities.
“The vulnerability could be used to perform a [port] scan of internal services which would lead to information disclosure, but could also have a critical impact if the target server is running some weakly-configured services such as Zabbix Agent which could be tricked into executing commands on the target and as a result allow attackers to gain an unauthorized remote access to the server,” Golunski said.
Golunski said in his advisory that attackers could abuse a feature in vBulletin that allows users to upload files.
“Some pages allow users to specify a URL to a media file that a user wants to share which will then be retrieved by vBulletin,” Golunski said. “The user-provided links are validated to make sure that users can only access resources from HTTP/HTTPS protocols and that connections are not allowed in to the localhost.”
The software also prohibits HTTP redirects, but Golunski said he found one area that does allow redirects from the target server “specified in a user-provided link,” in code used to upload media files from an authenticated profile.
“By specifying a link to a malicious server that returns a 301 HTTP redirect to the URL of http://localhost:3306 for example, an attacker could easily bypass the restrictions presented above and make a connection to mysql/3306 service listening on the localhost,” he wrote in the advisory. “This introduces a Server Side Request Forgery (SSRF) vulnerability.”
He added that since curl is used to fetch remote resources, a remote attacker could use a number of protocols to attack local services.
“For instance, by sending a redirect to gopher://localhost:11211/datahere attackers could send arbitrary traffic to memcached service on 11211 port.,” he wrote. “Additionally, depending on the temporary directory location configured within the forum, attackers could potentially view the service responses as the download function stores responses within temporary files which could be viewed if the temporary directory is exposed on the web server.”
vBulletin software has been targeted by hackers before. In 2013, for example, hackers exploited a zero-day vulnerability in the software to compromise forums on the MacRumors website, leaking more than 860,000 encrypted passwords in that attack.
