Botnet exploits recent vBulletin flaw to protect its bots

Security expert Troy Mursch of Bad Packets reported that a botnet is exploiting the recently disclosed vBulletin exploit to block other attackers from also using it.

The security expert Troy Mursch observed a botnet that it utilizing the recently disclosed vBulletin exploit to secure vulnerable servers to avoid that can be compromised by other threat actors. This technique is not new and allows botmaster to preserve their own botnet.

Early this week, an anonymous security researcher publicly disclosed a zero-day remote code execution flaw, tracked as CVE-2019-16759, in the vBulletin forum software and the exploit code to trigger it.

The vulnerability could be exploited remotely by an unauthenticated attacker. The PoC exploit published by the hacker works on vBulletin versions 5.0.0 till the latest 5.5.4.

The zero-day flaw in the forum software resides in the way an internal widget file of the forum software package accepts configurations via the URL parameters. The expert discovered that the package fails to validate the parameters, an attacker could exploit it to inject commands and remotely execute code on the vulnerable install.

The threat actor behind the botnet uses the exploit to hack into vulnerable servers, then configures them to require a password to execute commands.

The above images show how the attacker modifies the source code in the includes/vb5/frontend/controller/bbcode.php file in order to request a password for the command execution. The above image also shows the password used by the botmaster to protect the systems he had infected, this means that another attacker could use it to send commands to the system.

According to Mursch, most of the attacks come from Brazil, Vietnam, and India.

Chaouki Bekrar, founder and CEO of the Zerodium exploit broker, confirmed that the vBulletin flaws has been privately circulating for years.

“The availability of a working exploit is aggravated by another publicly posted script that uses the Shodan search site to find vulnerable servers. Attackers can use it to generate a list of vBulletin sites that are susceptible and then use the exploit to take them over.” reported Ars Technica.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – vBulletin, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]