• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

vBulletin Exploits in the Wild

November 4, 2015Daniel Cid

108
SHARES
FacebookTwitterSubscribe

**Update: CheckPoint disclosed more details here: Check Point Discovers Critical vBulletin 0-Day.

The vBulletin team patched a serious object injection vulnerability yesterday, that can lead to full command execution on any site running on an out-of-date vBulletin version. The patch supports the latest versions, from 5.1.4 to 5.1.9.

The vulnerability is serious and easy to exploit; it was used to hack and deface the main vBulletin.com website. As a precaution, all passwords were reset; you will have to create a new one before you can access vbulletin.com again and download the patches.

Exploits in the Wild

This vulnerability seems to have been around for a bit. We were able to trace exploit attempts to the end of October, they were targeting a few high profile vBulletin sites protected by our Website Firewall.

The exploit was shared publicly yesterday. It attacks the decodeArguments Ajax API hook. Here is an example of an exploit attempt in the wild:

108.47.xx.yy – – [02/Nov/2015:22:18:21 -0500] “GET /vbforum[/]ajax/api/hook/decodeArguments?
arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00
db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22
%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22
%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D%22

Once decoded, it executes:

vB_Database”:1:{s:9:”functions”;a:1:{s:11:”free_result”;s:7:”phpinfo”;}}s:12:”

This shows the attacker the result of phpinfo indicating that his exploit succeeded. If this test payload works, the attacker will proceed with a full compromise. We are not seeing widespread exploitation attempts yet, as just a few high profile sites were targeted, but we expect it to change soon as it makes its way into the automation engines.

Patch and Protect

If we have not emphasized before, you have to patch your vBulletin site now! Websites behind our WAF are (and always were) protected against this vulnerability due to our virtual hardening technology. If you can not patch your vBulletin site, we recommend looking at a solution to stop these exploits before they reach you.

108
SHARES
FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, Zero-Day

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. Master

    November 4, 2015

    What kind of OOTB defences do you have against such attacks? I assume you don’t block any request with “phpinfo” in it..

    • Daniel Cid

      November 4, 2015

      We have protection against generic object injection attacks, which patches this specific vulnerability. We also have specific virtual hardening for vBulletin that blocks access to the vulnerable file path.

      Hope it clarifies.

      thanks,

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.