Vulnerability in vBulletin grants website admin privileges

Share this article:

Roughly 35,000 websites that use the proprietary internet message board software vBulletin have been compromised by attackers who took advantage of an exploit addressed quietly by the forum's technical squad at the end of August.

The root cause of the vulnerability has not been disclosed by the vBulletin team – a tech support lead recommended in late August that users delete the “4.X - /install/” and “5.X - /core/install” install directories – but data security company Imperva conducted research and made a few discoveries.

“The vulnerability [we] found allows any attacker, even a simple attacker, to send a message to a vBulletin website and the effect of that attack is that the website now has a new admin account,” Barry Shteiman, director of security strategy with Imperva, told SCMagazine.com on Wednesday.

Once a user has control of an admin account they can do whatever they want, Shteiman said, explaining he has seen affected sites – some of them Fortune 1000 companies – that have been defaced, injected with malware and drive-by malware, joined into botnets, and used as hijacked zombie servers.

“You can't get higher than admin on any system,” Shteiman said, explaining that the severity of the attack is amplified because the process has been simplified into a couple of tools. These malicious virtual instruments can be downloaded via hacker forums and activated at the press of a button, and the tools even have a clean user interface.

The first tool creates an administrator named Th3H4ck, Shteiman said, explaining that roughly 30,000 websites were compromised in this initial form of the attack. The creator of the second tool – said to be a researcher known on Twitter as @docindetectable – went the sneaky route in having the tool create a less suspicious administrator, named “supportvb,” which has affected roughly 5,000 sites.

Shteiman said he was able to find out which sites were affected using simple Google searches, which, incidentally, is the same way attackers were able to discover what sites were vulnerable. The popular search engine can locate keywords in websites, so all the attackers needed to do was look up identifiers for vulnerable versions of vBulletin.

Shteiman said the hacker likely searched Google using a botnet because of how long it would take a user to conduct searches for more than 30,000 vulnerable websites, adding the attacker would probably be able to grab 10 to 50 websites before Google's security feature popped up with a CAPTCHA asking the user to prove they are human.

“If you're using third-party software that you haven't written in-house, make sure you constantly check for updates and security issues,” Shteiman said, adding this application security problem is not being addressed with the sense of urgency it deserves. “I expect a vendor to come out and tell its customers, 'We have a major vulnerability.'”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

TorrentLocker developers patch error

Victims had been able to restore encrypted files without paying a ransom.

Home Depot: breach risks 56M payment cards, 'unique' malware used

Home Depot confirmed that approximately 56 million payment cards may have been compromised as result of a malware attack.

Gartner: 75 percent of mobile apps will fail security tests through end of 2015

Gartner: 75 percent of mobile apps will fail ...

As BYOD and mobile computing become more critical to business, app downloads will raise security risks.