Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Services
Capture
Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

twi-cloud-lock-color-svg
Managed Security Services

Expand your team’s capabilities and strengthen your security posture

twi-briefcase-color-svg
Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

twi-dashboard-color-svg
Penetration Testing

Subscription- or project-based testing, delivered by global experts

twi-database-color-svg
Database Security

Get ahead of database risk, protect data and exceed compliance requirements

twi-email-color-svg
Email Security & Management

Catch email threats others miss with layered security & maximum control

twi-managed-portal-color
Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

vBulletin Remote Code Execution (CVE-2020-7373)

Last week, security researcher Amir Etemadieh (aka Zenoflex) disclosed that vBulletin’s patch for CVE-2019-16759 (an unauthenticated remote code execution vulnerability) was incomplete. That CVE was exploited in the wild, for example, the Comodo Forums that exposed the data of 245,000 Users or the botnet activity targeting vulnerable vBulletin sites. This new vulnerability was given the identifier CVE-2020-7373. vBulletin is a very popular software forum. According to the BuildWith website, vBulletin tops the Forum Software Usage Distribution in the Top 1 Million Sites:

Forum_usage

Figure 1. Forum Software Usage according to BuiltWith website

 

The vulnerability allows unauthenticated attackers to inject PHP code via widget configuration parameters. In the following screenshot we can see successful exploitation of this vulnerability:

Payload

Figure 2. Injection of PHP code to create a new header via CVE-2020-7373

 

The previous example is a non-intrusive exploitation of the vulnerability, anyhow attackers may call PHP functions in order to execute code in the webserver, delete files, or other malicious activities. It’s important to mention that there are several public exploits for this vulnerability, making it trivial to exploit. A full writeup of the vulnerability was disclosed, along with PoC and a workaround, by the original researcher and can be found at:https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/

A few hours after the bypass was released there was evidence of exploitation. An example of that was the famous Hacker Conference DEFCON’s forum as stated by Jeff Moss (@thedarktangent):

Defcon_exploitation

Figure 3. Public exploitation of CVE-2020-7373 in forum.defcon.org

 

There was almost a 24-hour windows between the disclosure of the vulnerability, along with the Proof of Concept and workaround, and the official patch by vBulletn.

In case patching is not possible, a workaround is to disable the PHP widgets within the forum. The steps to do so are:

  1. Go to the vBulletin administrator control panel.
  2. Click “Settings” in the menu on the left, then “Options” in the dropdown.
  3. Choose “General Settings” and then click “Edit Settings”
  4. Look for “Disable PHP, Static HTML, and Ad Module rendering”, Set to “Yes”
  5. Click “Save”

Please keep in mind this workaround may break some functionality but it will keep you safe from attacks until the patch is applied.

vBulletin issued a Security Patch that should be applied in the affected web applications as soon as possible. vBulletin says they will remove the vulnerable module (PHP Module) entirely in version 5.6.4. Finally, we want to mention that we have updated TrustKeeper scan engine to detect vulnerable instances of vBulletin.

Latest SpiderLabs Blogs

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More

Pwning Electroencephalogram (EEG) Medical Devices by Default

Overall Analysis of Vulnerability Identification – Default Credentials Leading to Remote Code Execution During internal network testing, a document was discovered titled the “XL Security Site...

Read More

Hidden Data Exfiltration Using Time, Literally

I was looking at my watch last week and my attention was moved towards the seconds over at the right of the watch face, incrementing nicely along as you’d expect. Now, I don’t know if I’d just spent...

Read More