Hacker News new | past | comments | ask | show | jobs | submit login
High-severity vulnerability in vBulletin is being actively exploited (arstechnica.com)
111 points by bifrost 21 days ago | hide | past | web | favorite | 59 comments

So, the affected function, in includes/vb5/frontend/controller/bbcode.php was:

    function evalCode($code) {
        $output = ob_get_contents();
        return $output;
... So anyone who looks at a codebase for eval would have found this. There is no doubt in my mind that when some people have claimed that this has been around for years... That it has definitely been around for years.

And as the fix is:

    // comment out. idk what it breaks but it's a fix for now
I don't think anyone even knows what the hell that eval was doing there in the first place.

Oh yes brings back memories from when I worked on vBulletin customizations over a decade ago. No doubt it is a remnant of the early plugin features but also the hacks one had to employ with PHP before namespaces and a proper OOP structure was introduced. Eval in PHP was the go-to for sorting out versioning mishaps and adding a layer of abstraction when one didn’t exist. It was the Swiss Army knife of making difficult problems disappear so it makes sense to me that they had a specific method for this. Between versions 4 & 5 of PHP depending on whatever VHost was chosen eval was necessary sometimes just to start migrating over to version 5 because you could if...then...rewrite your eval(“new code”).

For those interested, you can find the all-important path to that eval in the discussion here: https://www.reddit.com/r/netsec/comments/d8q2dt/vbulletin_0d...

It's not a straightforward POST -> eval but goes through a few calls, which is probably why it wasn't discovered sooner.

vB has made heavy use of eval() for years, it’s used thru the bbcode parser, template and plugin features. I haven’t dug into the vB5 code base much, my heavy use ended in the 4 range. But this hasn’t been the first time it’s been exploited, and I suspect won’t be the last. When 5 was released we were already turned off to vB and it’s overall direction and settled on sticking with v4 until Xenforo matured more (the creators of which were original developers/architectes of vB 1,2,3.

About 9 years ago I was working in ad operations for the owners of vBulletin (they were a large internet publisher). I had just read a basic book on Java to use the Dart API to automate a bunch of tasks with the remnant waterfall. I'd been at "hello world" a few months prior. I had never used PHP aside from installing Wordpress.

When I gave notice, I was asked if I'd like to work on vBulletin as an engineer.

(Some good reading at https://vbtruth.com/category/company/vbulletin/ )

No offense intended, but I really don't know how it's possible to write a forum with so many vulnerabilities. Forums aren't exactly rocket science. It's basic input validation and you're good to go. Many recent functions (in PHP) already sanitize input even if you forget. So things like parametrized SQL queries and browser same origin policies really help limit the attack surface.

I find it depressing that vBulletin has been getting hacked for so long that it's literally outlived several of the major vulnerability disclosure websites that have historically published exploits about it (like milw0rm -- still an amazing theme, btw.) Maybe PHP should throw warnings about eval and recommend an alternative function purely for expressions instead. In Python apparently eval evaluates expressions for a result and exec would do what PHP's eval would do instead. Something like that for PHP would be better than nothing.

Every piece of software is simple and easy when someone else has to write it.

Unnamed Goose Game? It's just a bunch of polygons and MIDI riffs. No big whoop.

Slack? It's just a chat agent. Just some input validation and syndication. Easy peasy.

Microsoft Windows? It's just a window manager running on DOS. No sweat, I could whip that up over the weekend.

No offense intended, but I really don't know how it's possible to write a forum with so many vulnerabilities. Forums aren't exactly rocket science. It's basic input validation and you're good to go.

You are definitely very correct about that, for a simple forum with basically no extensibility. Bugs arise from the fact that vB is extremely customisable and has lots of points for extension, making its codebase very complex.

I don't know where you got this idea - full featured forums are very complicated compared to what most sites do.

If the codebase is anything like drupal or joomla, it doesn't surprise me. Those old school php systems are textbook examples of spaghetti code and big ball of mud patterns.

I find it so weird that they call this a commenting system. It is a forum or message board. Last thing I would call it is a commenting system. Never heard anybody calling vBulletin a commenting system.

In 2019, people are confused at the idea of simply posting discussion without it being a little appendix to some piece of content (a Youtube video, a news article, a blog post)

When I last used it (years ago) there was a neat plugin that'd let you use it as a commenting system for a WordPress blog. Every blog post would get a new thread in a particular forum, and people could comment in both places.

I remember using or seeing something very similar for phpBB (a free software bulletin board web app). I think that kind of functionality existed for most extensible boards.

Yeah seems weird. Is there an embedded version (like uh, I think Quora does this) that you can use? I've only ever seen it in standalone message board/forum contexts.

You might be thinking of disqus?

I spun up a trial instance just for fun, and indeed, it's as easy and fool-proof as it sounds. This is something where some one can run some google dorks for the right forum and throw results into a twenty-line script.

Interestingly enough, it appeared as though google somehow sanitized the dork proposed in the actual post to return few to no forums, at least when I checked this morning. Checking now from a different IP returns a lot more; very weird.

The actual post to seclists for reference: https://seclists.org/fulldisclosure/2019/Sep/31

Also, why on God's green earth to devs put version numbers so obviously in the software? For instance, on my web servers, I always turn off version number and platform, so an attacker can't easily go hunt down vulns from scraping the web. It seems as though it would be wise to make no version numbers that easily accessible the default.

You are advocating for security by obscurity. Which is a "deterrent" not a solution.

Version numbers help people get support and know when/where versions are fixed and if they are patched/updated.

A solution is running up to date software, and encouraging developers to release security fixes and for admins to care.

Version numbers can still be handed to people without having to appear in every single request.

It is a deterrent, and not a solution. But it does prevent the clouds of botnets from labeling you as definitely vulnerable and attacking you the moment a new 0-day gets purchased. The speed of attacks can outpace your speed of your upgrade process.

Security-in-depth should always be the way forward. This is just another tickbox you can use.

I agree, it's more like a "sane default".

I'm not advocating for using it as a sole defense, I'm saying it can cut down on log noise and won't hurt. Relying on security by obscurity is stupid; reducing the amount of information available to an attacker is smart.

They're doing nothing of the sort.

All software will have bugs.

There's no good reason to accurately broadcast to the world what specific version you're running of anything, ever.

It's not advocating leaving your production systems to rot with ancient software because you've hidden the versions. You still need to stay vigilant. But the reality is, 0-days happen, and not all bugs being exploited are reported/fixed. Keep the version hidden, or hell, broadcast a completely different software/version altogether.

I tried the Google dork search on Tuesday morning when I saw the Full Disclosure email.

At that time, a lot of servers showed up. All the top ones had been vandalized already.

Probably easier to just try the whole bag of exploits

> “Zerodium customers were aware of it since 3 years.”

This is why we can't have nice things. Zerodium, thanks for being honest, but services such as yours are actively making the internet a worse place.

As someone that has sold exploit code to various brokers in the past, I don't think Zerodium are making the internet a worse place. I forget the exact year but it was around 2004 - 2006 one of my friends reported a vuln to phpbb, they openly mocked her and downplayed the issue with no fix. She put together a professional looking report on how it works and submitted it privately to the product team, she was then ignored and banned from their IRC. She then published the exploit publicly and they sued her, they forced her ISP to take punitive action and they contacted her college to try and get her suspended.

Fuck reporting vulns, fuck open disclosure. Just sell what you find to brokers.

Cahouki Bekrar says there are three options:

1. Full disclosure so anyone/Govs can (ab)use it without limits/regulation

2. Sell to Govs/brokers and get a decent revenue while limiting (ab)use

3. Report to vendors & get sued, or get shitty bounties and/or your name in advisories

I agree with him.

Cannot upvote this enough. Finding vuln is one thing, other thing is power structures, politics, people feelings in companies or oss projects that are hit with that vuln.

Yeah it should be a learning experience, fix it and get over it. But it is not easy if you have 3 people waiting for you to slip to get your position. Some other want make money on writing a story about how bad your software is, even though it might be not your issue (VLC-bug story) because software is complicated. Good luck with explaining that was not your fault...

> She then published the exploit publicly and they sued her

So you're saying that a bunch of volunteer open source developers collectively sued a security researcher? That sounds like it would have made for an epic Hacker News story. Do you have any documentation that this happened?

Look up ‘santy worm’ and the now defunct “howdark.com”. It never ended up in court, it went as far as lawyers letters until they backed doen. It wasn’t phpbb that sent the lawyers letters, it was a business owner that used phpbb that was hit by the santy worm. The lawsuit would have likely gone nowhere but she still had to spend cash on her own lawyers, she was 19 at the time and did nothing more than a standard vuln disclosure to the community. This isn’t even an extreme case, there’s much worse.

Having dealt with some disclosure issues in the past, its fraught with peril.

There's even a conference dedicated to it now: https://www.disclosureconference.com/

Its probably worthwhile to attend.

I'm surprised it took this long to be found. Searching for shell_exec() and/or exec() in the source would be the first thing I'd do if looking for RCE.

Well it was

so it's even worse. Those two wouldn't show up, but you can call them if you want to!

The examples they gave are just that, examples. Someone actually searching would enter a term like "eval(" so as to find usage of that function, regardless of what the actual arguments were

I think the anonymous researcher that disclosed it more broadly now is the one making the internet a worse place

Why do our opinions differ?

On an unrelated note, does anyone else get the feeling that the vBulletin website looks similar to what a Microsoft Support scammer might refer you to in order to download Remote Desktop software?


It all went to shit after the Internet Brands buyout.

They used to just dogfood their own software as their homepage: https://web.archive.org/web/20070205162247/http://www.vbulle...

Any recommendations for forum software, preferably open source?

I'm aware of Discourse and Flarum, which use more modern designs:



phpBB and Simple Machines Forum both use classic designs similar to vBulletin:



What's the best alternative to vBulletin?

Maybe Talkyard could be of interest — a bit like Discourse, but has HackerNews type threaded discussions and a basic Slack like chat: https://www.talkyard.io (I'm developing it).

There are some improvements over HN: https://www.talkyard.io/-32/how-hacker-news-can-be-improved-...

It depends on your criteria, but if you're looking for a well-supported, vBulletin-ish forum (focus on being a forum first-and-foremost, similar visual style, similar extensibility system) then XenForo is a very good candidate. If I didn't have a lot of time invested in my vBulletin setup (customization), I would go with them. For now, vBulletin works for me.

Ooh I hadn't heard of Flarum yet; I'm going to try that one out.

As a user, Discourse forums have always felt bloated and slow. As a developer, I was shocked when I went to their installation documentation and saw it required 1 GB of RAM and 10 GB of disk space.

As they are vary in different criteria, the best alternative is roll our own forum using CSS Grid.

Honest question: is there any coordinated responder effort to use RCE vulns like this one to patch the vuln and secure affected systems? Not asking just about this exploit in particular but about the entire world of 0day Internet RCE.

There exist 'Anti-worms' like Anii-Santy and Welchia [1] which patch vulnerable hosts. And I've heard of malicious viruses that patch their host simply to ensure they have that host to themselves.

However, this is unambiguously illegal under anti-hacking laws like CFAA [2] which introduces a variety of practical difficulties.

[1] https://en.wikipedia.org/wiki/Anti-worm [2] https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

Thanks. I wonder if doing it under the control of a team like CERT could make it less illegal. Or, if there was a way for a company to publicly pre-authorize a non-prosecution agreement for 0day patch defense. Surprised I haven't seen more discussion about the idea.

I doubt there's any coordinated effort because of legal issues if nothing else, but there have absolutely been various people doing that over the years. Off the top my head it's more popular with routers/IoT, where there have been people exploiting vulnerabilities in the name of both fixing them and just bricking the devices so that there are few are vulnerable devices on the internet.

It would be easy to use the exploit to patch unpatched sites, rogue whitehat style...

What does the string "2dmfrb28nu3c6s9j" represent?

Man why would anyone install code like that.

It’s script you can just read it guys, everyone fights so hard for open source and no one bothers reading anything.

I once took over a Wordpress site and the prior dev told me that he just torrented the plugins.

It took me all of 15 minutes to find code injections appended to the bottom of the code files.

...but that wasn't the interesting part. Since it was a very popular SEO plugin, I actually took the extra time and reported the attack code wordpress security scanners and the torrent site.

A month later I checked back and the plugin had been re-uploaded, but this time with the attack code heavily obfuscated and much more subtely hidden within the plugin.

...and this time when I reported it to the torrent site, the site admins banned me and actually IP blocked me.

tldr; The only open source code getting reviewed is heavily used stuff.

WordPress has commercial closed-source plug-ins available and one of the more popular ones happen to be a certain SEO-plug-in. You're certain it wasn't a pirated copy of a closed-source plugin?

Pirated closed-source themes and plug-ins for WordPress is a very common source of malware on WP sites.

I think that's implied by the use of torrents. Bittorrent is not commonly used as the official distribution channel by professional wordpress plugin authors, I believe.

Wordpress is open source, but the plugins that people "null" and upload to a directory with write access usually aren't.

vBulletin is closed source commercial software, isn't it?

It's PHP, so you get the source if you're a paying customer (or find a warez'd copy), but I suspect the number of people looking through the source for vulnerabilities and not intending to keep their discoveries private is relatively low.

vBulletin is probably hundreds of thousands of lines of code. Nobody has time to "read the code" before installing it.

PHP is a public remote shell. Why is this in the news?

Ok thanks for your contribution.

Now where is my facebook dot com shell?

Facebook hasn't been running stock PHP for years. They wrote their own compiler

Its still PHP...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact