... So anyone who looks at a codebase for eval would have found this. There is no doubt in my mind that when some people have claimed that this has been around for years... That it has definitely been around for years.
And as the fix is:
// comment out. idk what it breaks but it's a fix for now
//eval($code);
I don't think anyone even knows what the hell that eval was doing there in the first place.
Oh yes brings back memories from when I worked on vBulletin customizations over a decade ago. No doubt it is a remnant of the early plugin features but also the hacks one had to employ with PHP before namespaces and a proper OOP structure was introduced. Eval in PHP was the go-to for sorting out versioning mishaps and adding a layer of abstraction when one didn’t exist. It was the Swiss Army knife of making difficult problems disappear so it makes sense to me that they had a specific method for this. Between versions 4 & 5 of PHP depending on whatever VHost was chosen eval was necessary sometimes just to start migrating over to version 5 because you could if...then...rewrite your eval(“new code”).
vB has made heavy use of eval() for years, it’s used thru the bbcode parser, template and plugin features. I haven’t dug into the vB5 code base much, my heavy use ended in the 4 range. But this hasn’t been the first time it’s been exploited, and I suspect won’t be the last. When 5 was released we were already turned off to vB and it’s overall direction and settled on sticking with v4 until Xenforo matured more (the creators of which were original developers/architectes of vB 1,2,3.
About 9 years ago I was working in ad operations for the owners of vBulletin (they were a large internet publisher). I had just read a basic book on Java to use the Dart API to automate a bunch of tasks with the remnant waterfall. I'd been at "hello world" a few months prior. I had never used PHP aside from installing Wordpress.
When I gave notice, I was asked if I'd like to work on vBulletin as an engineer.
I find it so weird that they call this a commenting system. It is a forum or message board. Last thing I would call it is a commenting system. Never heard anybody calling vBulletin a commenting system.
In 2019, people are confused at the idea of simply posting discussion without it being a little appendix to some piece of content (a Youtube video, a news article, a blog post)
When I last used it (years ago) there was a neat plugin that'd let you use it as a commenting system for a WordPress blog. Every blog post would get a new thread in a particular forum, and people could comment in both places.
I remember using or seeing something very similar for phpBB (a free software bulletin board web app). I think that kind of functionality existed for most extensible boards.
Yeah seems weird. Is there an embedded version (like uh, I think Quora does this) that you can use? I've only ever seen it in standalone message board/forum contexts.
No offense intended, but I really don't know how it's possible to write a forum with so many vulnerabilities. Forums aren't exactly rocket science. It's basic input validation and you're good to go. Many recent functions (in PHP) already sanitize input even if you forget. So things like parametrized SQL queries and browser same origin policies really help limit the attack surface.
I find it depressing that vBulletin has been getting hacked for so long that it's literally outlived several of the major vulnerability disclosure websites that have historically published exploits about it (like milw0rm -- still an amazing theme, btw.) Maybe PHP should throw warnings about eval and recommend an alternative function purely for expressions instead. In Python apparently eval evaluates expressions for a result and exec would do what PHP's eval would do instead. Something like that for PHP would be better than nothing.
No offense intended, but I really don't know how it's possible to write a forum with so many vulnerabilities. Forums aren't exactly rocket science. It's basic input validation and you're good to go.
You are definitely very correct about that, for a simple forum with basically no extensibility. Bugs arise from the fact that vB is extremely customisable and has lots of points for extension, making its codebase very complex.
If the codebase is anything like drupal or joomla, it doesn't surprise me. Those old school php systems are textbook examples of spaghetti code and big ball of mud patterns.
I spun up a trial instance just for fun, and indeed, it's as easy and fool-proof as it sounds. This is something where some one can run some google dorks for the right forum and throw results into a twenty-line script.
Interestingly enough, it appeared as though google somehow sanitized the dork proposed in the actual post to return few to no forums, at least when I checked this morning. Checking now from a different IP returns a lot more; very weird.
Also, why on God's green earth to devs put version numbers so obviously in the software? For instance, on my web servers, I always turn off version number and platform, so an attacker can't easily go hunt down vulns from scraping the web. It seems as though it would be wise to make no version numbers that easily accessible the default.
Version numbers can still be handed to people without having to appear in every single request.
It is a deterrent, and not a solution. But it does prevent the clouds of botnets from labeling you as definitely vulnerable and attacking you the moment a new 0-day gets purchased. The speed of attacks can outpace your speed of your upgrade process.
Security-in-depth should always be the way forward. This is just another tickbox you can use.
I'm not advocating for using it as a sole defense, I'm saying it can cut down on log noise and won't hurt. Relying on security by obscurity is stupid; reducing the amount of information available to an attacker is smart.
There's no good reason to accurately broadcast to the world what specific version you're running of anything, ever.
It's not advocating leaving your production systems to rot with ancient software because you've hidden the versions. You still need to stay vigilant. But the reality is, 0-days happen, and not all bugs being exploited are reported/fixed. Keep the version hidden, or hell, broadcast a completely different software/version altogether.
As someone that has sold exploit code to various brokers in the past, I don't think Zerodium are making the internet a worse place. I forget the exact year but it was around 2004 - 2006 one of my friends reported a vuln to phpbb, they openly mocked her and downplayed the issue with no fix. She put together a professional looking report on how it works and submitted it privately to the product team, she was then ignored and banned from their IRC. She then published the exploit publicly and they sued her, they forced her ISP to take punitive action and they contacted her college to try and get her suspended.
Fuck reporting vulns, fuck open disclosure. Just sell what you find to brokers.
Cahouki Bekrar says there are three options:
1. Full disclosure so anyone/Govs can (ab)use it without
limits/regulation
2. Sell to Govs/brokers and get a decent revenue while limiting (ab)use
3. Report to vendors & get sued, or get shitty bounties and/or your name in advisories
Cannot upvote this enough. Finding vuln is one thing, other thing is power structures, politics, people feelings in companies or oss projects that are hit with that vuln.
Yeah it should be a learning experience, fix it and get over it. But it is not easy if you have 3 people waiting for you to slip to get your position. Some other want make money on writing a story about how bad your software is, even though it might be not your issue (VLC-bug story) because software is complicated. Good luck with explaining that was not your fault...
> She then published the exploit publicly and they sued her
So you're saying that a bunch of volunteer open source developers collectively sued a security researcher? That sounds like it would have made for an epic Hacker News story. Do you have any documentation that this happened?
Look up ‘santy worm’ and the now defunct “howdark.com”. It never ended up in court, it went as far as lawyers letters until they backed doen. It wasn’t phpbb that sent the lawyers letters, it was a business owner that used phpbb that was hit by the santy worm. The lawsuit would have likely gone nowhere but she still had to spend cash on her own lawyers, she was 19 at the time and did nothing more than a standard vuln disclosure to the community. This isn’t even an extreme case, there’s much worse.
I'm surprised it took this long to be found. Searching for shell_exec() and/or exec() in the source would be the first thing I'd do if looking for RCE.
The examples they gave are just that, examples. Someone actually searching would enter a term like "eval(" so as to find usage of that function, regardless of what the actual arguments were
On an unrelated note, does anyone else get the feeling that the vBulletin website looks similar to what a Microsoft Support scammer might refer you to in order to download Remote Desktop software?
Maybe Talkyard could be of interest — a bit like Discourse, but has HackerNews type threaded discussions and a basic Slack like chat: https://www.talkyard.io (I'm developing it).
Ooh I hadn't heard of Flarum yet; I'm going to try that one out.
As a user, Discourse forums have always felt bloated and slow. As a developer, I was shocked when I went to their installation documentation and saw it required 1 GB of RAM and 10 GB of disk space.
It depends on your criteria, but if you're looking for a well-supported, vBulletin-ish forum (focus on being a forum first-and-foremost, similar visual style, similar extensibility system) then XenForo is a very good candidate. If I didn't have a lot of time invested in my vBulletin setup (customization), I would go with them. For now, vBulletin works for me.
Honest question: is there any coordinated responder effort to use RCE vulns like this one to patch the vuln and secure affected systems? Not asking just about this exploit in particular but about the entire world of 0day Internet RCE.
There exist 'Anti-worms' like Anii-Santy and Welchia [1] which patch vulnerable hosts. And I've heard of malicious viruses that patch their host simply to ensure they have that host to themselves.
However, this is unambiguously illegal under anti-hacking laws like CFAA [2] which introduces a variety of practical difficulties.
Thanks. I wonder if doing it under the control of a team like CERT could make it less illegal. Or, if there was a way for a company to publicly pre-authorize a non-prosecution agreement for 0day patch defense. Surprised I haven't seen more discussion about the idea.
I doubt there's any coordinated effort because of legal issues if nothing else, but there have absolutely been various people doing that over the years. Off the top my head it's more popular with routers/IoT, where there have been people exploiting vulnerabilities in the name of both fixing them and just bricking the devices so that there are few are vulnerable devices on the internet.
I once took over a Wordpress site and the prior dev told me that he just torrented the plugins.
It took me all of 15 minutes to find code injections appended to the bottom of the code files.
...but that wasn't the interesting part. Since it was a very popular SEO plugin, I actually took the extra time and reported the attack code wordpress security scanners and the torrent site.
A month later I checked back and the plugin had been re-uploaded, but this time with the attack code heavily obfuscated and much more subtely hidden within the plugin.
...and this time when I reported it to the torrent site, the site admins banned me and actually IP blocked me.
tldr; The only open source code getting reviewed is heavily used stuff.
WordPress has commercial closed-source plug-ins available and one of the more popular ones happen to be a certain SEO-plug-in. You're certain it wasn't a pirated copy of a closed-source plugin?
Pirated closed-source themes and plug-ins for WordPress is a very common source of malware on WP sites.
I think that's implied by the use of torrents. Bittorrent is not commonly used as the official distribution channel by professional wordpress plugin authors, I believe.
It's PHP, so you get the source if you're a paying customer (or find a warez'd copy), but I suspect the number of people looking through the source for vulnerabilities and not intending to keep their discoveries private is relatively low.
And as the fix is:
I don't think anyone even knows what the hell that eval was doing there in the first place.