Vulnerability in vBulletin grants website admin privileges

Share this article:

Roughly 35,000 websites that use the proprietary internet message board software vBulletin have been compromised by attackers who took advantage of an exploit addressed quietly by the forum's technical squad at the end of August.

The root cause of the vulnerability has not been disclosed by the vBulletin team – a tech support lead recommended in late August that users delete the “4.X - /install/” and “5.X - /core/install” install directories – but data security company Imperva conducted research and made a few discoveries.

“The vulnerability [we] found allows any attacker, even a simple attacker, to send a message to a vBulletin website and the effect of that attack is that the website now has a new admin account,” Barry Shteiman, director of security strategy with Imperva, told SCMagazine.com on Wednesday.

Once a user has control of an admin account they can do whatever they want, Shteiman said, explaining he has seen affected sites – some of them Fortune 1000 companies – that have been defaced, injected with malware and drive-by malware, joined into botnets, and used as hijacked zombie servers.

“You can't get higher than admin on any system,” Shteiman said, explaining that the severity of the attack is amplified because the process has been simplified into a couple of tools. These malicious virtual instruments can be downloaded via hacker forums and activated at the press of a button, and the tools even have a clean user interface.

The first tool creates an administrator named Th3H4ck, Shteiman said, explaining that roughly 30,000 websites were compromised in this initial form of the attack. The creator of the second tool – said to be a researcher known on Twitter as @docindetectable – went the sneaky route in having the tool create a less suspicious administrator, named “supportvb,” which has affected roughly 5,000 sites.

Shteiman said he was able to find out which sites were affected using simple Google searches, which, incidentally, is the same way attackers were able to discover what sites were vulnerable. The popular search engine can locate keywords in websites, so all the attackers needed to do was look up identifiers for vulnerable versions of vBulletin.

Shteiman said the hacker likely searched Google using a botnet because of how long it would take a user to conduct searches for more than 30,000 vulnerable websites, adding the attacker would probably be able to grab 10 to 50 websites before Google's security feature popped up with a CAPTCHA asking the user to prove they are human.

“If you're using third-party software that you haven't written in-house, make sure you constantly check for updates and security issues,” Shteiman said, adding this application security problem is not being addressed with the sense of urgency it deserves. “I expect a vendor to come out and tell its customers, 'We have a major vulnerability.'”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.