09-09-2013, 01:34 PM
vBulletin Vulnerability, Versions 4.1 to 5+
So, a week or so ago a neat friend of mine let me know that there was a undisclosed vulnerability for versions 4.1 to 5+ on vBulletin. I was aware vBulletin's site had been compromised recently, so it's likely this is the exploit that was used. Initially, when I went to take a look at the upgrade system (since I was told that was the location of the vulnerability), I realized that the MD5 of the customer number was shown in the page's source. I thought that this wasn't all that high-risk, since you'd need to crack it. But no, I was wrong. My plan was to keep quiet about it, but I decided I'd make a post about it with all the scripts floating around now. It's better to understand. Below, I'll explain how the vulnerability can be exploited and show what can be done.Issue: The MD5 of a board's customer number is revealed. This can then be used to make certain modifications the board using the upgrade system.
Solution: Remove the /install/upgrade/ directory until a patch is released, or prevent disclosure of the MD5.
Fire the cannons!
[Adding an administrator account to a preexisting vBulletin forum.]
Preliminary Steps[Adding an administrator account to a preexisting vBulletin forum.]
Let's find a target. We'll pretend that 0day.red is using vBulletin version 4.2.0.
In this case, you'd want to go here:
[To see links please register here]
If 0day.red was using version 5 or higher, the page would be under /core/:[To see links please register here]
The Upgrade Page
Now that we're on the upgrade page (/install/upgrade.php), it should ask for the customer number. We don't have the customer number, but there's something else we can do instead. What we want to do is examine the page source.
Hidden Content
It's Not Plaintext!
Unfortunately, it's hashed, so you can't just paste it into the page and click the button. We're going to have to POST the customer number and other information in order to gain access. I recommend that you use cURL to accomplish things quickly, which is what I would use if I were an attacker. You could also use browser plugins if you want to be a slowpoke.
Using cURL To Break Things
Here's an example POST request in cURL...
Hidden Content
POSTing
You can use the example POST request and modify it. The values that you will probably want to modify are:
- bbcustomerid=[This is the hashed customer number.]
- customerid=[This is the hashed customer number.]
- htmldata[username]=[This is the username of the account you want to make.]
- htmldata[password]=[This is the password you want to you.]
- htmldata[confirmpassword]=[This is the password you want to use. Confirm it.]
- htmldata[email]=[This is the email you want to use. You don't need access to it.][/*]
Done!
Enjoy! Simply log in and you should be an administrator. Note that vBulletin's default ACP directory is /admincp/ and that you will normally find a link to the admin panel on the index. Now you can modify the board and stuff like that. If you want to execute PHP, I'd recommend modifying/adding plugins to do so.
Other Information
[Some information about scripts and stuff.]
Scripts, Scripts, Scripts![Some information about scripts and stuff.]
You might want to use a script if you don't have a clue what you're doing, don't want to, and just want to break things. My suggestion, of course, is that you read the tutorial first. If you already understand, but want to break lots of things, a script might be a good idea as well.
Credits to my friend, who I assume wants to remain nameless.
[/hide]