A couple of weeks ago vBulletin — currently the sixth largest CMS platform — released an exploit alert for 4.1+ and 5+ users, letting them know about a vulnerability that allows unrestricted external access to the ‘/install/’ directory. Coming on the heels of this announcement were several attack reports from vBulletin users, which described how this vulnerability was abused for website hijacking.
Like many other zero-day vectors, this one was also quick to appear on our radar, when it was used to attack one of our clients’ website. The threat was soon mitigated and the newly gathered data was aggregated in the form of a security patch, making all of our clients instantly immune to similar attacks.
The somewhat naïve nature of this vulnerability makes it a story worth sharing, as it serves as a good reminder of how small and unassuming loopholes can lead to very severe security scenarios.
Anatomy of the Attack
Here’s how attackers exploit this vulnerability:
- Access ‘/install/upgrade.php’.
- Recover hashed CUSTNUMBER id, which appear in source code of the page.
- De-code the CUSTNUMBER and use it to inject a new Admin into the forum.
By executing these steps, an attacker can gain full administrative privileges which can be used to hijack the forum, modify its settings, deface it, delete its content and more.
The conveniently available CUSTNUMBER is what makes this vulnerability that much easier to exploit. Although hashed, the fact that the password appears in plain text — and on the same page — is just bad form. Security is often a war of attrition and the idea is to raise multiple barriers — not to offer hackers the path of least resistance.
Are You Already Compromised?
Since it was publicly announced, the vulnerability was already exploited by few quick-to-act hackers including Th3H4ck, who compromised hundreds of forums and was also involved in an attack on one of our clients. Googling ‘Th3H4ck’ will reveal the full list of hacker’s targets, as the same user-name was re-used for multiple attacks. Still, the easiest way to determine if your forums were affected is to check your Admin Logs for any signs of suspicious activity.
Blocked by Incapsula security rules
Methods of Mitigation
The vulnerability can be mitigated by simply deleting the ‘/install/’ folder, which probably should have never remained there in the first place. As mentioned, the Incapsula WAF was patched to defend against this exploit so our customers are protected and don’t need to take any further action.
Although traditionally a WAF feature, we extended this protection to all Incapsula users, as we often do with known zero-day vulnerabilities.