CVE-2020-17496 - vBulletin RCE vulnerability actively being exploited in the wild

September 25, 2020

SonicWall Capture Labs Threat Research team observes attackers actively exploiting the recent remote code execution vulnerability reported in vBulletin. VBulletin is a popular forum software used by about 20,000 websites. It is written in PHP and uses the MySQL database. 

CVE-2020-17496 | Vulnerability:

A remote code execution vulnerability has been reported in vBulletin. This vulnerability is due to improper validation of subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. It is a bypass for CVE-2019-16759, a critical pre-authentication vulnerability in vBulletin that was disclosed in September 2019. When an attacker sends a crafted ajax request that contains the template name widget_php with malicious code placed in the parameter widgetConfig[‘code’], the render engine will execute the malicious code in the request. It was fixed by checking the name, If the name is widget_php, the engine won’t render the requested template. That made widget_php the only template that could be utilized for PHP code execution. In the latest bypass, the tabbedcontainer_tab_panel template widget is found to be capable of loading “a user-controlled child template, effectively bypassing the patch for CVE-2019-16759.

Exploit:

In the below post request, the child template name is widget_php and the malicious code can be passed through subWidget elements allowing remote code execution.

 

 

A remote, unauthenticated attacker could exploit this vulnerability by sending the above crafted request to the vulnerable server. Successful exploitation could result in remote code execution.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15163 vBulletin widget_tabbedContainer_tab_panel Remote Command Execution

Affected Products:

All versions of vBulletin prior to the 5.6.x are affected by this vulnerability. Users should migrate over to a patched version as soon as possible.