A vBulletin exploit used to hack thousands of websites

Security firm Imperva revealed that more than 35000 websites based on vBulletin CMS have been hacked exploiting a known vulnerability.

Security experts warn of a massive attack against web sites that exploits  security flaw sites powered by the forum software vBulletin. On August vBullettin authors warned on “Potential vBulletin Exploit (vBulletin 4.1+, vBulletin 5+)”. The exploits vector was found is the  installation directories of the above versions, due this reason as a workaround is suggested to delete these folders.

The impact of the security vulnerability is huge considering that vBulletin is currently the fourth in the list of Top installed CMS sites, the company has not disclosed the cause of the flaw neither its impact.

The sites apparently compromised include also a support forum for the National Runaway Safeline and a site selling vBulletin add-ons.

The identified vulnerability allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account. Once the attacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the site supported by its CMS (vBulletin).

A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation. The directories that should be deleted are:

4.X – /install/
5.X – /core/install

After deleting these directories your sites can not be affected by the issues that we’re currently investigating. vBulletin 3.X and pre-4.1 would not be affected by these issues. However if you want the best security precautions, you can delete your install directory as well.

Once disclosed the flaw the attackers have started a massive campaign trying to exploit all those websites that not implemented the security workaround. Security firm Imperva published a Threat Advisory on the case, highlighting that the number of websites recently hacked exploiting this vulnerability is superior to 35,000.

As usual the underground offer has proposed an automated open-source exploit tools to easily discover the vulnerable websites and to add administrator accounts to obtain their control.

 

The Imperva Application Defense Center (ADC) has provided further information on attacker’s procedure:

“The identified vulnerability allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account. Once the attacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the site supported by its CMS (vBulletin). “

The hackers to exploit the vulnerability and inject a new Admin user must obtain the customer ID and have to know the URL for the upgrade.php page …  the ID is embedded in the source code of the page. It is available a PHP script to scan a vBulletin site searching for the vulnerable path and extracts the customer ID from the vulnerable upgrade.php page.

Imperva specialists confirmed the availability of at least two sets of exploit tools used for the attacks:

The first was apparently used in a mass website defacement campaign, to have an idea of the compromised attacks is is possible to make a simple Google search for websites to which it has been added the administrator account “Th3H4ck” in that attack .

The second tool adds an administrator account to hacked forums with name “supportvb”, in a similar manner here the search key to find compromised websites.

“In order to infect 30,000 targets in such a short period of time you need Google, but the problem is that you can’t retrieve so many search results that easily in an automated way. Google may show you that there are 30,000 [vulnerable target sites], but when you start scrolling through them all you may get to maybe page five or six [before] you get a message that your machine is performing automated queries, and it will start showing you CAPTCHA,” challenges to block automated lookups. “And if I repeat this behavior from the same Internet address, I’ll get blocked for a certain period of time.” said Amichai Shulman, Imperva’s chief technology officer, hypnotizing that  attackers have used a botnet to automatically detect vulnerable website and compromise them.

Imperva provided useful recommendations for administrators of forum based on vBulletin CMS

1. vBulletin has advised its customers to delete /install and /core/install directories in versions  4.x and 5.x respectively.
2. For vBulletin users not able to delete these directories – it is advised to block access or redirect requests that hit upgrade.php through via either a WAF, or via web server access configuration.

Pierluigi Paganini

(Security Affairs –  vBulletin, hacking, cybercrime )