Forum software maker vBulletin is urging users to change their passwords following a recent breach of its networks. The attackers who claimed responsibility for the intrusion say they broke in using a zero-day flaw that is now being sold in several places online, but vBulletin maintains it is not aware of any zero-day attacks against current versions of its product.
On Thursday, Nov. 14, this publication received an email with several screen shots and a short note indicating that vBulletin had been hacked. The attackers claimed they had knowledge of a zero-day bug in versions 4.x and 5.x of vBulletin, and that they had used the same vulnerability to break into vbulletin.com and macrumors.com.
That same day, I reached out to both vBulletin and MacRumors. I heard immediately from MacRumors owner Arnold Kim, who pointed my attention to a story the publication put up last Monday acknowledging a breach. Kim said MacRumors actually runs version 3.x of vBulletin, and that the hackers appear to have broken in using a clever cross-site-scripting attack.
“In VB3, moderators can post ‘announcements’ in the forum, and by default announcements allow HTML,” Kim explained. “The hacker or hackers were able to somehow get a moderator’s login password, and used that to embed Javascript in an announcement and waited for an administrator to load that page. Once that happened, the Javascript installed a plugin in the background that allowed [the attackers] to execute PHP scripts.”
Kim said the attackers in that case even came on the MacRumors forum and posted a blow-by-blow of the attack, confirming that the cause of the breach was a compromised moderator account. Kim said the person who left the comment was using the same Internet address as the attacker who hacked his forum, and that the moderator account that got compromised on MacRumors also had an account with the same name and password on vBulletin.com.
“Stop [blaming] this on the ‘outdated vBulletin software’,” the apparent culprit wrote. ” The fault lied within a single moderator. All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you’re talking about. 3.x is far more secure than the latter. Just because it’s older, it doesn’t mean it’s any worse.”
On Saturday, Nov. 16, I heard back from vBulletin, which said it had just posted a note urging users to change their passwords, and that the company was not aware of any zero day bugs in its software. vBulletin didn’t say which version of its software was attacked, only that “our staging server was running a wide variety of versions of the software.” The vBulletin homepage says the site is powered by version 5.0.5.
“Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password,” vBulletin’s tech support lead Wayne Luke wrote. “Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems.”
Interestingly, several individuals appear to be selling what they claim are zero-day exploits in vBulletin 4.x and 5.x, including the attackers who first contacted me on Thursday claiming responsibility for the break-in. That person, using the nickname Inj3ct0r, advertised a copy of the supposed exploit for $7,000, available for payment via virtual currencies Bitcoin and WebMoney. According to this user’s Bitcoin wallet, at least one person appears to have paid for a copy, sending the user 15 Bitcoins on Nov. 15 (when Bitcoin’s value was approximately USD $435 per BTC, according to Bitcoincharts.com).
Perhaps seeing an opportunity to attract (or scam) interested buyers, this guy posted on Friday that he would sell the same exploit for just $200 in Bitcoins. It’s unclear if that sale was for real or a scam, but several buyers apparently thought it worthwhile and cheap enough to verify the claim with a payment, according to this user’s Bitcoin wallet.
” Once that happened, the Javascript installed a plugin in the background that allowed [the attackers] to execute PHP scripts.”
Can you explain this more clearly? A webpage with javascript can load a plugin – presumably he refers to a browser plugin? And this browser plugin can run php scripts on the VB server? Nothing wrong with that. Presumably he means the plugin can run scripts as the administrator. So the newly installed browser plugin is capturing the session of the administrator who loaded the announcement page?
This sounds more like a browser problem, allowing plugins to load and capture sessions, including the very session ongoing when the plugin was installed.
In this case, the plugin being referred to is a vBulletin feature.
vBulletin has a plugin system that always you to easily add new code into your forum without having to directly edit php files on the server. These plugins are stored in the mysql database and run fully functional php code, no different than the programs in the forum path.
There is nothing wrong with that feature. It’s just that if a forum admin account is compromised in this way, a malicious plugin can be installed and the forum exploited.
Thank-you!
The payload used in the MacRumors compromise sounds remarkably similar to the payload in this blog entry:
http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/
“kids” ? Heh, sounds like he is trying to assume the age of some on in thier 40’s.
Scripts are always dangerous, and it really depends on the functionality of the forum. It can be put under the “code” area, and what happens if the attacker puts that code the same color as the background? All they need to do is add some text and maybe a small pic to lure the admin in to approve it and the script then runs with admin privs.
It sounds like the attacker knows his way around the older versions more so than the new one(s). It doesn’t seem to bothered by having the same IP on both websites. I’d see if the forum software shows any other accounts, past or present that utilized that IP range. Its a low probablility, but maybe you can associate the IPs and other accounts and come up with a name. I have seen simpler minded crooks.
Its a tough choice. To let the users use code or code like functions and URL links on their sites or not? Does every forum need to police every post and approve or trash it? To me thats too much work and nothing will get accomplished. I’m sure there has to be a simpler way add a plug in that can determine if code and an URL can be considered “safe”.
“The Kids Are Alright”
I think “cross-site-scripting” can be injected into most C.M.S. forum or bulletin website.to either hijack, manipulate,deface or do malicious things like infecting users by way of dive by download Trojans . This real isn’t new news in the internet security realm so it doesn’t surprise me much.
This is the same thing that happened when the Ubuntu forums got hacked.
http://blog.canonical.com/2013/07/30/ubuntu-forums-are-back-up-and-a-post-mortem/
You’re wrong, it’s not the same thing that happened with the Ubuntu forum
You’re wrong. The payload that Canonical claims that the attackers used does not exist as session cookies are marked HttpOnly in vBulletin. It’s more likely they used the same JavaScript payload, i.e. http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/
(Because the above payload, does exactly what the guy from MacRumors said, and it has been widely available for soon 3 years.)
“he moderator account that got compromised on MacRumors also had an account with the same name and password on vBulletin.com.”
Same password in two places ? And s/he is a moderator on a forum ?
Either the person worked for one, and used the same credentials to set up the other or, the person simply uses the same username and password on the entire planet.
That happens more than people think. =\
I have two sets of passwords. One that I care about, and every site gets a unique password. And another that I don’t care about, which all use the same password.
Either this moderator didn’t care about his moderator accounts on forums, or he simply uses the same name & password on all his forums. The latter seems far more likely… I wonder how much money they siphoned from his bank account?
is there even one modern software using PHP which is not hacked multiple times ? I guess not …
I know of a few – This software wasn’t hacked – it was compromised by a user. The software or anything for that matter can be made only so good. Interject human error and the doors are wide open.
Human error, not PHP. The newest PHP version has totally rewritten its commands involving mysql (see mysqli) and it should be much tougher for the human coder to err.
1337day/Inj3ct0r are scammers!
I sent them 10 BTC yesterday for this exploit and got nothing.
[16:32:29] ou send moeny yesterday?
[16:32:49] yes i did and you said 30 minutes and ignore
[16:32:57] =-O
[16:33:07] you talk me abount jabber?
[16:33:16] same jabber
[16:36:28] give me time ok
[16:36:35] time for what
[16:36:45] i give you material
[16:36:52] when
[16:36:59] friday
[16:37:00] please!
[16:37:48] why should i believe it after you said 30 minutes
[16:38:07] Bro really have big problem now
[16:38:07] i wanted to buy every wxploit you have there, but you dont have word
[16:38:11] give me 2 day
[16:38:11] ok?
[16:38:15] you do have a problem
[16:38:52] since if i dont have money back or the exploit i will post about you everywhere., and i have connections. this is just random jabber for this talks, but you will lose more than 10 BTC
[16:39:13] this is very ugly what you do
[16:39:20] not professional at all
[16:39:34] i thought you have some respect after all the years being active and all the talks about you
[16:39:47] but in the end what i see? scamming kids like on hackforums
[16:40:10] you have 50 BTC now, i only ask for mine to be back
Thanks, Zorro. This chatlog totally made my morning.
1337day.com is a scam site. They do not have the 0days they are selling for.
Their address is Bitcoin Address 1AWqYR4CCP5j9GEqMNk8b3ZNPPfG5Jniu1
As you can see I purchased the vBulletin 0day with this transaction:
vBulletin v4.x.x and 5.х.x Shell Upload / Remote Code Execute (0day)
https://blockchain.info/tx/2380e1187…c8acf201cfb4f6
I received an email from admin@1337day.com asking for jabber or skype. Here’s our logs: (timestamps removed for my anonymity)
1337day
here
joshzerlan@jwchat.org
ok, so what about the vBulletin 0day?
1337day
Hello
joshzerlan@jwchat.org
Hi
1337day
Bro please tomorrow , at the moment i back home
today or tomorrow
joshzerlan@jwchat.org
what’s with the youtube video saying you scammed someone over the MS office 0day?
1337day
I waited for you all day
this man make video to get stuff for free
many kids idiots
joshzerlan@jwchat.org
okay, when will you be able to disclose it?
(not sure what time zone you are in)
1337day
today
joshzerlan@jwchat.org
ok. I’ll be available here. thanks
1337day
respect
add me
joshzerlan@jwchat.org
added
1337day
you use windows?
joshzerlan@jwchat.org
no
you responsible for macrumors?
1337day
yes
you want database?)
joshzerlan@jwchat.org
that wasn’t done through a 0day
that was done through XSS
1337day
no)
joshzerlan@jwchat.org
dc04ae4ecd2ff1eb0a43191f6778369c.png
1337day
)
my screen)
do you want this database?
joshzerlan@jwchat.org
it would make me
more comfortable if i know you actually have a 0day
1337day
3 btc and i give you database)
interest?
joshzerlan@jwchat.org
show me some proof first
1337day
proof? you send me 10 btc and you want proof?
joshzerlan@jwchat.org
you want me to send more
joshzerlan@jwchat.org
so?
you don’t have the 0day.
1337day
and?
joshzerlan@jwchat.org
posting about scam reports on all the forums now
i’ll make sure the #2 search result for 1337day is a scam report
1337day
show me
—–
As you can see, they claim responsibility for the MacRumors attack when it was done by someone using the name ‘lol’. That attack was through compromising a moderator account, and making a XSS announcement. The actual hacker of MacRumors has said 1337 didn’t do shit with proof:
dc04ae4ecd2ff1eb0a43191f6778369c.png
1337day are scammers – do not pay them.