
High-severity vulnerability in vBulletin is being actively exploited - bifrost
https://arstechnica.com/information-technology/2019/09/public-exploit-code-spawns-mass-attacks-against-high-severity-vbulletin-bug/
======
shakna
So, the affected function, in includes/vb5/frontend/controller/bbcode.php was:

    
    
        function evalCode($code) {
            ob_start();
            eval($code);
            $output = ob_get_contents();
            ob_end_clean();
            return $output;
        }
    

... So anyone who looks at a codebase for eval would have found this. There is
no doubt in my mind that when some people have claimed that this has been
around for years... That it has definitely been around for years.

And as the fix is:

    
    
        // comment out. idk what it breaks but it's a fix for now
        //eval($code);
    

I don't think anyone even knows what the hell that eval was doing there in the
first place.

~~~
wolfspider
Oh yes brings back memories from when I worked on vBulletin customizations
over a decade ago. No doubt it is a remnant of the early plugin features but
also the hacks one had to employ with PHP before namespaces and a proper OOP
structure was introduced. Eval in PHP was the go-to for sorting out versioning
mishaps and adding a layer of abstraction when one didn’t exist. It was the
Swiss Army knife of making difficult problems disappear so it makes sense to
me that they had a specific method for this. Between versions 4 & 5 of PHP
depending on whatever VHost was chosen eval was necessary sometimes just to
start migrating over to version 5 because you could if...then...rewrite your
eval(“new code”).

------
Uptrenda
No offense intended, but I really don't know how it's possible to write a
forum with so many vulnerabilities. Forums aren't exactly rocket science. It's
basic input validation and you're good to go. Many recent functions (in PHP)
already sanitize input even if you forget. So things like parametrized SQL
queries and browser same origin policies really help limit the attack surface.

I find it depressing that vBulletin has been getting hacked for so long that
it's literally outlived several of the major vulnerability disclosure websites
that have historically published exploits about it (like milw0rm -- still an
amazing theme, btw.) Maybe PHP should throw warnings about eval and recommend
an alternative function purely for expressions instead. In Python apparently
eval evaluates expressions for a result and exec would do what PHP's eval
would do instead. Something like that for PHP would be better than nothing.

~~~
reaperducer
Every piece of software is simple and easy when someone else has to write it.

Unnamed Goose Game? It's just a bunch of polygons and MIDI riffs. No big
whoop.

Slack? It's just a chat agent. Just some input validation and syndication.
Easy peasy.

Microsoft Windows? It's just a window manager running on DOS. No sweat, I
could whip that up over the weekend.

------
giancarlostoro
I find it so weird that they call this a commenting system. It is a forum or
message board. Last thing I would call it is a commenting system. Never heard
anybody calling vBulletin a commenting system.

~~~
ceejayoz
When I last used it (years ago) there was a neat plugin that'd let you use it
as a commenting system for a WordPress blog. Every blog post would get a new
thread in a particular forum, and people could comment in both places.

~~~
basilgohar
I remember using or seeing something very similar for phpBB (a free software
bulletin board web app). I think that kind of functionality existed for most
extensible boards.

------
big_chungus
I spun up a trial instance just for fun, and indeed, it's as easy and fool-
proof as it sounds. This is something where some one can run some google dorks
for the right forum and throw results into a twenty-line script.

Interestingly enough, it appeared as though google somehow sanitized the dork
proposed in the actual post to return few to no forums, at least when I
checked this morning. Checking now from a different IP returns a lot more;
very weird.

The actual post to seclists for reference:
[https://seclists.org/fulldisclosure/2019/Sep/31](https://seclists.org/fulldisclosure/2019/Sep/31)

Also, why on God's green earth to devs put version numbers so obviously in the
software? For instance, on my web servers, I always turn off version number
and platform, so an attacker can't easily go hunt down vulns from scraping the
web. It seems as though it would be wise to make no version numbers that
easily accessible the default.

~~~
lbotos
You are advocating for security by obscurity. Which is a "deterrent" not a
solution.

Version numbers help people get support and know when/where versions are fixed
and if they are patched/updated.

A solution is running up to date software, and encouraging developers to
release security fixes and for admins to care.

~~~
shakna
Version numbers can still be handed to people without having to appear in
every single request.

It is a deterrent, and not a solution. But it does prevent the clouds of
botnets from labeling you as definitely vulnerable and attacking you the
moment a new 0-day gets purchased. The speed of attacks can outpace your speed
of your upgrade process.

Security-in-depth should always be the way forward. This is just another
tickbox you can use.

~~~
RandomTisk
I agree, it's more like a "sane default".

------
itcrowd
> “Zerodium customers were aware of it since 3 years.”

This is why we can't have nice things. Zerodium, thanks for being honest, but
services such as yours are actively making the internet a worse place.

~~~
notzuck
As someone that has sold exploit code to various brokers in the past, I don't
think Zerodium are making the internet a worse place. I forget the exact year
but it was around 2004 - 2006 one of my friends reported a vuln to phpbb, they
openly mocked her and downplayed the issue with no fix. She put together a
professional looking report on how it works and submitted it privately to the
product team, she was then ignored and banned from their IRC. She then
published the exploit publicly and they sued her, they forced her ISP to take
punitive action and they contacted her college to try and get her suspended.

Fuck reporting vulns, fuck open disclosure. Just sell what you find to
brokers.

Cahouki Bekrar says there are three options:

1\. Full disclosure so anyone/Govs can (ab)use it without limits/regulation

2\. Sell to Govs/brokers and get a decent revenue while limiting (ab)use

3\. Report to vendors & get sued, or get shitty bounties and/or your name in
advisories

I agree with him.

~~~
Meekro
> She then published the exploit publicly and they sued her

So you're saying that a bunch of volunteer open source developers collectively
sued a security researcher? That sounds like it would have made for an epic
Hacker News story. Do you have any documentation that this happened?

~~~
notzuck
Look up ‘santy worm’ and the now defunct “howdark.com”. It never ended up in
court, it went as far as lawyers letters until they backed doen. It wasn’t
phpbb that sent the lawyers letters, it was a business owner that used phpbb
that was hit by the santy worm. The lawsuit would have likely gone nowhere but
she still had to spend cash on her own lawyers, she was 19 at the time and did
nothing more than a standard vuln disclosure to the community. This isn’t even
an extreme case, there’s much worse.

------
itcrowd
On an unrelated note, does anyone else get the feeling that the vBulletin
website looks similar to what a Microsoft Support scammer might refer you to
in order to download Remote Desktop software?

[https://www.vbulletin.com/](https://www.vbulletin.com/)

~~~
hombre_fatal
It all went to shit after the Internet Brands buyout.

They used to just dogfood their own software as their homepage:
[https://web.archive.org/web/20070205162247/http://www.vbulle...](https://web.archive.org/web/20070205162247/http://www.vbulletin.com/)

------
commoner
Any recommendations for forum software, preferably open source?

I'm aware of Discourse and Flarum, which use more modern designs:

[https://www.discourse.org](https://www.discourse.org)

[https://flarum.org](https://flarum.org)

phpBB and Simple Machines Forum both use classic designs similar to vBulletin:

[https://www.phpbb.com](https://www.phpbb.com)

[https://simplemachines.org](https://simplemachines.org)

What's the best alternative to vBulletin?

~~~
KajMagnus
Maybe Talkyard could be of interest — a bit like Discourse, but has HackerNews
type threaded discussions and a basic Slack like chat:
[https://www.talkyard.io](https://www.talkyard.io) (I'm developing it).

There are some improvements over HN: [https://www.talkyard.io/-32/how-hacker-
news-can-be-improved-...](https://www.talkyard.io/-32/how-hacker-news-can-be-
improved-3-things)

------
cjbprime
Honest question: is there any coordinated responder effort to use RCE vulns
like this one to patch the vuln and secure affected systems? Not asking just
about this exploit in particular but about the entire world of 0day Internet
RCE.

~~~
michaelt
There exist 'Anti-worms' like Anii-Santy and Welchia [1] which patch
vulnerable hosts. And I've heard of malicious viruses that patch their host
simply to ensure they have that host to themselves.

However, this is unambiguously illegal under anti-hacking laws like CFAA [2]
which introduces a variety of practical difficulties.

[1] [https://en.wikipedia.org/wiki/Anti-
worm](https://en.wikipedia.org/wiki/Anti-worm) [2]
[https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act)

~~~
cjbprime
Thanks. I wonder if doing it under the control of a team like CERT could make
it less illegal. Or, if there was a way for a company to publicly pre-
authorize a non-prosecution agreement for 0day patch defense. Surprised I
haven't seen more discussion about the idea.

------
smolder
It would be easy to use the exploit to patch unpatched sites, rogue whitehat
style...

------
crb
What does the string "2dmfrb28nu3c6s9j" represent?

------
swiley
Man why would anyone install code like that.

It’s script you can just read it guys, everyone fights so hard for open source
and no one bothers reading anything.

~~~
koheripbal
I once took over a Wordpress site and the prior dev told me that he just
torrented the plugins.

It took me all of 15 minutes to find code injections appended to the bottom of
the code files.

...but that wasn't the interesting part. Since it was a very popular SEO
plugin, I actually took the extra time and reported the attack code wordpress
security scanners and the torrent site.

A month later I checked back and the plugin had been re-uploaded, but this
time with the attack code heavily obfuscated and much more subtely hidden
within the plugin.

...and this time when I reported it to the torrent site, the site admins
banned me and actually IP blocked me.

tldr; The only open source code getting reviewed is heavily used stuff.

~~~
ahje
WordPress has commercial closed-source plug-ins available and one of the more
popular ones happen to be a certain SEO-plug-in. You're certain it wasn't a
pirated copy of a closed-source plugin?

Pirated closed-source themes and plug-ins for WordPress is a very common
source of malware on WP sites.

~~~
0x0
I think that's implied by the use of torrents. Bittorrent is not commonly used
as the official distribution channel by professional wordpress plugin authors,
I believe.

------
Sir_Cmpwn
PHP is a public remote shell. Why is this in the news?

~~~
sascha_sl
Ok thanks for your contribution.

Now where is my facebook dot com shell?

~~~
kevingadd
Facebook hasn't been running stock PHP for years. They wrote their own
compiler

~~~
bifrost
Its still PHP...

