An anonymous hacker publicly disclosed an unpatched vBulletin forum software pre-auth RCE Zero-day Exploit.
vBulletin is one of the most popular and widely used forum software which is written in PHP, and the new version of vBulletin software release just 20 days ago.
According to the Exploit writer who has posted in the exploit code in online said “This should work on all versions from 5.0.0 till 5.5.4”
It’s unclear why the researcher discloses the exploit in public instead of reporting to the vBulletin team, and if he did this, the researcher would have to make up to $10000 as a bug bounty reward since the exploitable RCE vulnerability belongs to “Critical” severity category.
GBHackers Team analyzed the code and confirmed that the vulnerability allows attackers to execute a remote command via widgetConfig[code] parameter and inject the shellcode in the forum server where the vBulletin installation package resides.
The disclosed exploit code takes advantage of the vulnerability that existing up to vBulletin 5.4 version due to improper validation in “ajax/render/widget_php” during the time of processing data through “widgetConfig[code]” HTTP POST parameter. you can have a look at the following python script published by the researcher online.
An attacker doesn’t need to have an account on the forum that used vBulletin software version 5.4 and below to exploit the vulnerability, and the attacker can send a specially crafted HTTP POST request to execute the arbitrary code in the targeted forum.
The researcher called this vulnerability as “pre-auth Remote code execution” which is categorized as a critical severity, and the successful exploit this vulnerability may result in the complete compromise of a vulnerable system remotely.
There are very few percentages (less than 1 %) of the total website on the internet used the vBulletin forum software, but there are millions of users who have registered in the forum are now affected.
There is no patch published yet, We may expect the vBulletin team fix the vulnerability and release the patch soon.
Stay tuned, we will update here once we get the patch update.