Vbulletin widget template rce #13970
Conversation
|
I'll tag this with a CVE ID today, and also make sure that the folks at vBulletin know about it. |
gwillcox-r7
added
the
needs-testing-environment
gwillcox-r7
removed
the
needs-testing-environment
There was a problem hiding this comment.
This all looks good to me, great use of AutoCheck! It's not every day we can actually exploit the vulnerability within the check method to determine it's presence so that's awesome.
The only request I have is around some style items. There's a few things caught by rubocop when running it on the module. I'm going to tag this as "needs-linting" and there will be some instructions that come along with that.
smcintyre-r7
added
the
needs-linting
|
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit: You can automate most of these changes with the Please update your branch after these have been made, and reach out if you have any problems. |
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
smcintyre-r7
removed
the
needs-linting
|
Alright, thanks for that last commit! With that in place this looks good to land. I successfully tested the PHP meterpreter payload, the CMD payload with output using the default Thanks @Zenofex ! |
Release NotesNew module |
Could you clarify where "CVE-2020-7373" added in 19618d9 is coming from? It seems https://nvd.nist.gov/vuln/detail/CVE-2020-17496 is used for this by Mitre.Thanks |
|
Hi @cfi-gb -- this is from Rapid7's pool of CVE numbers we use to assign for research-based vulnerabilities in 3rd party products. It'll be updated in the next day or two on MITRE's side. (All unassigned CVEs will show as RESERVED by MITRE until they're populated downstream, which is why it might appear to be a MITRE thing right now.) |
|
Thanks for clarification. Then it seems two CVEs (CVE-2020-7373 which is currently in RESERVED state and CVE-2020-17496 which is already published) got assigned for the very same vulnerability and one might need to be rejected to avoid duplicates. |
|
Well, heck. Thanks @cfi-gb . Do you know from whence CVE-2020-17496 came from? It was issued by MITRE, so I'm curious who the go-getter was who requested the number. :) In the meantime, I'll fix up the module to use that, rather than have two. |
|
Unfortunately i don't know there the second is coming from, hoped to get this info here :-) Ref for the change of the CVE to the one issued by MITRE: #13997 |
This pull request adds a vBulletin 5.x remote code execution module.
This module exploits a logic bug within the template rendering code of vBulletin 5.x. The module uses the vBulletin template rendering functionality to render the 'widget_tabbedcontainer_tab_panel' template while also providing the 'widget_php' argument which causes the former template to load the latter bypassing filters originally put in place to address 'CVE-2019-16759'. This also allows the exploit to reach an eval call with user input allowing the module to achieve PHP remote code execution on the target.
This module has been tested successfully on vBulletin version 5.6.2 on Ubuntu Linux 19.04 .
Verification
use exploit/multi/http/vbulletin_widget_template_rceset RHOSTS [IP]set VHOST [HOSTNAME]set LHOST [IP]set TARGETURI [PATH]set PAYLOAD [PAYLOADNUM]runExample Output