High-severity vulnerability in vBulletin is being actively exploited

[InfoSec News <alerts () infosecnews org>]

https://arstechnica.com/information-technology/2019/09/public-exploit-code-spawns-mass-attacks-against-high-severity-vbulletin-bug/

By Dan Goodin
Ars Technica
9/25/2019

Attackers are mass-exploiting an anonymously disclosed vulnerability that makes
it possible to take control of servers running vBulletin, one of the Internet’s
most popular applications for website comments. Sites running the app should
take comments offline until administrators install a patch that vBulletin
developers released late Wednesday morning.

The vulnerability was disclosed through an 18-line exploit that was published on
Monday by an unidentified person. The exploit allows unauthenticated attackers
to remotely execute malicious code on just about any vBulletin server running
versions 5.0.0 up to 5.5.4. The vulnerability is so severe and easy to exploit
that some critics have described it as a back door.

“Essentially, any attack exploits a super simple command injection,” Ryan
Seguin, a research engineer at Tenable, told Ars. “An attacker sends the
payload, vBulletin then runs the command, and it responds back to the attacker
with whatever they asked for. If an attacker issues a shell command as part of
the injection, vBulletin will run Linux commands on its host with whatever user
permissions vBulletins' system-level user account has access to.” Seguin has
more in this technical analysis of the vulnerability.

According to researcher Troy Mursch of the Bad Packets security intelligence
service, attackers are using botnets to actively exploit vulnerable servers.
Some of the Web requests they send look like this:

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_