New critical zero-day pre-auth RCE exploit code published on Full Disclosure mailing list for 5.x versions of vBulletin (CVE-2019-16759).
Background
A preauthentication remote code execution (RCE) zero-day exploit was recently disclosed anonymously for vBulletin 5.x. This zero-day does not seem to have followed coordinated disclosure procedures and we have not yet seen a response from vBulletin on this vulnerability.
Analysis
Tenable Research has analyzed and confirmed that this exploit works on default configurations of vBulletin. Based on the public PoC, an unauthenticated attacker can send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands. These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host.
Proof of concept
The published exploit code returns its successful execution in a JSON formatted response.
Solution
At the time of publication, this vulnerability remains a zero-day without an official mitigation or fix. Tenable does, however, expect vBulletin to respond with an advisory or patch soon.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 60-day trial of Tenable.io Vulnerability Management.