No announcement yet.

[CRITICAL] A new vBulletin5 pre-auth zero-day RCE exploit has been released.

  • Filter
  • Time
  • Show
Clear All
new posts

  • [CRITICAL] A new vBulletin5 pre-auth zero-day RCE exploit has been released.

    I was solving a wargame quest(CTF), but someone hacked the "" site.
    So I started responding to hacking in real time and started monitoring their techniques.
    And it was immediately apparent that the technique he used was a
    zero-day that was unveiled three hours ago.
    It was exactly a
    zero-day exploit released on August 9th, 2020.
    Is it
    Black-Hat conference now?
    Looking at the date, I suspect that it was released by
    Black-Hat conference.
    Attackers deleted my site's database and requested bitcoin.
    If I were you I wouldn't have stopped the site.
    So you were immediately found.

    [Description of technical words for Koreans]
    pre-auth는 사전인증이 아니라 인증하지 않고라는 의미임.
    preauth앞에 오기 때문에 인증에 앞선다는 의미로 사용되는 것으로 보입니다.
    간단히 한국식으로 해석하면
    로그인 없이 통하는 취약점이라는 의미로 사용된다고 보심 될 것 같습니다.
    한국식으로 읽으면 완전히 정반대 의미가 되기 때문에 설명을 달았습니다.


    This link and PPT is a technical article from the hacker who published zero-day.
    Download: vbulletin_Exploiting_vBulletin_5.6.2_A_Tale_of_a_P
    This vulnerability has been repeated in the past, but since it wasn't patched properly, zero-day came back.

    Click image for larger version  Name:	mysql_hacking.png Views:	0 Size:	636.9 KB ID:	619

    I didn't have the money, so I stopped the
    Amazon AWS EC2 web server a week ago and migrated it to my home server.
    The hacked website was running on a docker on a server running at home.
    The server at home was broken, I checked it, and it got hacked, so the hackers asked me for bitcoins.
    I decided to abandon the restore and restart the
    Amazon AWS EC2 web server.
    As soon as it was turned on, the hack came in again.

    I checked WebShell about 3-5 minutes after the attack started and immediately deleted it.
    They called themselves
    The password for the webshell is "".
    Are there any reasons government hackers should hack me?
    I'm a beggar right now.
    I don't even have the money to run an Amazon AWS EC2 server.)
    They seem to be proud of themselves.
    This vulnerability looks very dangerous.
    Be careful with everyone.
    It's surprising that there are hackers these days threatening online beggars and asking for bitcoins.

    Click image for larger version  Name:	zeroday-3.png Views:	0 Size:	609.5 KB ID:	620

    Click image for larger version  Name:	zeroday-1.png Views:	0 Size:	173.4 KB ID:	618

    curl -s -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();'
    curl -s -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=passthru("ls");'

    This is the current vBulletin5 maker's forum site.
    They just closed the door.

    Click image for larger version  Name:	mysql_hacking3.png Views:	0 Size:	942.6 KB ID:	621

    Thanks for hacking this "" site.
    Thanks to you, I can write security research article.
    Thank you for motivating me to write one more security article.
    I am lazy and cannot respond quickly to these security issues.
    Because of this site hacking, I came into contact with the security issue faster than others.

    Thanks for hacking.
    Attached Files

  • #2
    A security patch was released an hour ago by the vBulletin5 manufacturer.

    Click image for larger version

Name:	security_patch.png
Views:	123
Size:	343.5 KB
ID:	625