OpenSUSE forums hack raises vBulletin zero-day exploit possibility

The openSUSE site maintainers recommend using strict directory permissions and alternative authentication systems

A compromise of the community forums for the openSUSE Linux distribution Tuesday sparked concern that hackers have access to a previously unknown exploit for the popular vBulletin Internet forum software.

The attack resulted in hackers replacing some pages on the website and gaining access to the site's user database. The forums had almost 80,000 registered members at the time of the compromise.

The hacker responsible for the breach reportedly told The Hacker News that he used a private zero-day exploit for vBulletin, the software powering the site, to upload a PHP shell backdoor that allowed him to browse, read and write files on the server.

The possibility that hackers have access to a zero-day exploit for vBulletin is concerning, since the software powers very large forum sites, including some that have been targeted in the past like MacRumors with 867,000 members and with 1.9 million members.

According to vBulletin Solutions, the software's developer, over 100,000 community websites are running on vBulletin, including some operated by Zynga, Electronic Arts, Sony Pictures, NASA, Valve Corporation and other well known companies.

A statement from the openSUSE site maintainers Tuesday appeared to confirm the hacker's claim: "A cracker managed to exploit a vulnerability in the forum software which made it possible to upload files and gave access to the forum database," the openSUSE team said. "As the exploit is in the forum software we use and there are no known fixes or workarounds we have decided to take the forums offline for now, until we have found a solution."

The openSUSE team noted that even though the hacker got access to the user database, no access credentials, hashed or otherwise, were compromised. That's because the site uses an external single-sign-on (SSO) system for all of its services.

"This is a completely separate system and it has not been compromised by this crack," the team said. "What the cracker reported as compromised passwords were indeed random, automatically set strings that are in no way connected to your real password."

However, the hacker did obtain user email addresses that were stored in the database for convenience.

"Although we have not confirmed this with the vBulletin developers, I am inclined to believe the claim that this is a zero-day exploit," said Matthew Ehle, an openSUSE representative, via email. "We were one patch level behind the current release, but I have not seen anything that indicates that the latest patch would have prevented an attack of this nature."

The openSUSE forums site used the vBulletin 4.x branch of the software, which is still supported, but the hacker claimed the exploit also affects the latest version of vBulletin 5.x. At this time the latest versions of vBulletin are 4.2.2 and 5.0.5.

"The vulnerability was a remote file inclusion which allowed the attacker to open a shell into the forums Web system," Ehle said. "He used this shell to set up the page and dump the database."

VBulletin Solutions posted a security advisory Friday about a vulnerability in a third-party component called uploader.swf that's part of the Yahoo User Interface (YUI) library included in vBulletin 4.

Yahoo does not plan to fix the vulnerability because it affects only YUI versions 2.5.0 through 2.9.0, which are no longer supported. As a result, vBulletin Solutions advised users to replace the uploader.swf with a dummy file of the same name, which forces vBulletin installations to fall back to an alternative JavaScript-based uploader.

It's not clear if this is the vulnerability that led to the openSUSE forum compromise. According to the Yahoo advisory, the uploader.swf vulnerability is a cross-site scripting (XSS) one that allows the injection of arbitrary JavaScript.

This vulnerability does not allow arbitrary file uploads to the vBulletin site on its own, said Daniel Cid, chief technology officer at Web security firm Sucuri, via email. However, it could have been used together with social engineering or phishing to get access to a moderator or admin account and then upload a backdoor shell, he said.

"After the attack, we removed the uploader.swf file as a precaution," Ehle said. "I am not sure if this was the vulnerability that was exploited, but it seems consistent with how the system was compromised. However, it is entirely possible that another, unknown, vector was used."

VBulletin Solutions did not respond to an inquiry seeking information on whether it is aware of a different exploit in the software.

In the meantime, Ehle has some recommendations for other vBulletin site administrators.

"Be strict in your file permissions," he said. "In our system, only the sitemap directories were writable by the web server, which is why only that portion of the site was altered," he said.

The remote Web shell was uploaded in the only writable directories suggesting that tight file and directory permissions make the exploit much harder to execute, he said. "If you need legitimate file uploads and sitemap generation to work, allow writing to only those directories and set your web server to not execute PHP files in them," he said.

Ehle also suggested using an alternative authentication system. The default one in vBulletin still uses MD5-based password hashing, which is inexcusable by today's standards, according to Ehle.

The fact that openSUSE's forums site used an external single sign-in system -- except for a few administrative accounts whose passwords have since been reset -- prevented the breach from being much worse, he said.

This is not the first time that the openSUSE forums were compromised as a result of a vBulletin exploit.

"We had a very similar breach last summer by the same attacker," Ehle said. "It was also from a very new exploit, so this individual seems to have a very good understanding of vBulletin software and security."

The new incident prompted the openSUSE site maintainers to look into alternative Internet forum platforms.

"VBulletin provides some highly functional software, which is of course why it is so popular," Ehle said. "However, for some time I have had a number of concerns about the architecture and security of their software, and I believe the incidents that we have had and what others have experienced are beginning to confirm that."

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusiononline safetysecuritydata breachAccess control and authenticationSucurivBulletin SolutionsExploits / vulnerabilitiesprivacy

More about Electronic Arts AustraliaindeedLinuxNASASonyYahooZynga

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts