Pierluigi Paganini August 11, 2016

vBulletin forums need to be patched asap to avoid attackers to scan servers hosting the CMS and remotely execute arbitrary code.

Hackers breached the Steam’s Dota 2 forums and have leaked a couple of million credentials (the archive contains MD5-hashed passwords), but what is happening to forums based on the popular vBulletin CMS?

vBulletin forum administrators need to patch their platforms, the security updates fix multiple server-side request forgery bugs in vBulletin 3.8.9, 3.8.10 beta, 4.2.3, 4.2.4 beta, and 5.2.3.

A simple Google search reports that at least 18 million sites are based on the vBulletin CMS.

The flaws could be exploited by hackers to get access to services such as email and cache management.

The security expert Dawid Golunski confirmed the business impact of the flaw in a security advisory.

“The vulnerability can expose internal services running on the server/within the local network.
If not patched, unauthenticated attackers or automated scanners searching for vulnerable servers could send malicious data to internal services.” wrote Golunski.
“Depending on services in use, the impact could range from sensitive information disclosure, sending spam, DoS/data loss to code execution as demonstrated by  the PoC exploit in this advisory.”

The researchers pointed a portion of  the vBulletin codebase that accepts redirects from the target server specified in a user-provided link allowing HTTP redirects.

“HTTP redirects are also prohibited however there is one place in the vBulletin codebase that accepts redirects from the target server specified in a  user-provided link. The code is used to upload media files within a logged-in user’s profile and  can normally be accessed under a path similar to:

http://forum/vBulletin522/member/1-mike/media

By specifying a link to a malicious server that returns a 301 HTTP redirect to the URL of http://localhost:3306 for example, an attacker could easily bypass the restrictions presented above and make a connection to mysql/3306 service listening on the localhost.

This introduces a Server Side Request Forgery (SSRF) vulnerability.”

The security advisory also includes proof-of-concept code.

Back to the data breach of Dota 2 forums, it was based on a simple SQL injection attack. Leakedsource.com, that first reported the incident, confirmed that it has already converted 80% of the more than 1.9 million passwords.

If you are running a vBulletin forum, patch it now.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – forums, hacking)