No need to worry about the vBulletin zero-day exploit: Instart had you covered

No need to worry about the vBulletin zero-day exploit: Instart had you covered

At the end of last month on September 23rd, an anonymous security researcher disclosed a zero-day exploitin vBulletin, one of today’s most popular applications for website comments. The vulnerability, which affects any vBulletin server running versions 5.0.0 through 5.5.4, allows attackers to remotely execute code or gain privileged access to affected servers. 

The exploit — which is being tracked as CVE-2019-16759 — was researched and validated as soon as it was released. An official patch was released three days after by vBulletin. There are more than 100,000 websites that are built on vBulletin, providing a very large attack surface. If you don’t know that your security vendor has protected you or if you are an Instart customer that has not yet enabled the correct rules to block this exploit (i.e. your rules remain only in Warn mode), it is highly recommended to take comments offline until your website administrators have implemented patches. 

This exploit is particularly severe as it essentially acts as a backdoor to any site that is affected — and any compromised server could then be used for any number of malicious purposes, such as DDoS attacks or other types of automated attacks.

Understanding the value of Instart security solutionsRelated White paper

How the vBulletin zero-day works

The zero-day is a “pre-authentication remote code execution” vulnerability and lies in the file /includes/vb5/frontend/controller/bbcode.php

The evalCode function will accept $code as its parameter and execute it via the eval() function.

To exploit it, the attacker will send a specially crafted HTTP GET or POST request with a parameter named routestring with the value ajax/render/widget_php.

Fig. 1 exploitation attempt 1
Fig. 2 exploitation attempt 2

The malicious payload attackers are using modifies the bbcode.php file in such a way that it will require a password in order for a website to execute future requests. In other words, the attackers are adding a backdoor to the code and preventing other attackers from getting in.  

Instart customers were already protected — but make sure you update

As Chaouki Bekrar, founder of the Zerodium, pointed out, this zero-day vulnerability has been available for years. “Many researches were selling this exploit for years,” he shared on Twitter. “Zerodium customers were aware of it since 3 years.” 

But the good news is Instart customers are already protected against the vBulletin flaw thanks to our comprehensive and robust web application firewall rules. Instart Web Application Firewall contains a pre-existing ruleset that is able to detect and mitigate this exact vulnerability.

PHP injection 1100106
RCE 1100105

Our customers with the WAF rules set to blocking mode for PHP injection 1100106 and RCE (Remote Command Execution) 1100105 are already safe from potential exploitation. If you have not enabled these rules to block mode in Instart Web Application Firewall or installed the patch vBulletin developers released, Instart Managed Security Services strongly recommends that you do both as soon as possible — our team is still seeing active exploitation of this vulnerability across the web.

Instart helps to fully protect your brand from the latest malicious threatsRequest a demo