[create365]

http://www.reddit.com/r/netsec/comme...n_compromises/
I have the exploit code, researching it, also confirmed it works.
On black market, exploit is worth $7000.

Most of the times, it ends up with C99/PHPShell installed (mostly under Admin CP -> Paid Subscriptions -> Subscriptions Manager - because part of the users never look there.)

Have you secured your vBulletins/were you hacked?
How vBulletin plans to fix it?

The XSS script is multistage based on what the user's session is currently capable of.
Create an invisible iframe pointing to the administrator control panel (ACP).
Using the iframe, check if the user is logged into the ACP. If yes, proceed to stage 5, otherwise continue to stage 3.
Since the user was not logged into the ACP, see if a password manager autofills the fields and submit the credentials off to an attacker controlled server. If no credentials were filled, continue to stage 4.
Retrieve all private messages of the user and ship them off to an attacker controlled servers since they might contain credentials or sensitive information. Not much to be done, exit the script.
Since the user was logged into the ACP, attempt to add a vBulletin hook that allows the remote execution of PHP code. If we don't have the permissions for this, continue to stage 6, otherwise exit the script.
Last straw attempt, try changing a higher ranked administrator's password. (yes, vBulletin is stupid enough to allow it) If we don't have the permissions for this either, continue to stage 4, otherwise exit the script.

[Zachery]

So, you still have to some how gain access to a semi-privileged account, and then get an administrator to look at the post that has the malicious html in it?

[create365]

Nope. Attack can be done from any site, but administrator has to view it. No account on target forums needed. It's pretty easy to achieve.
If someone with less privileges enters the page, it does other stuff. As described above its multi-stage.
The site when viewing opens an invisible iframe and executes the exploit.
Then, if it manages to install the shell, entering specific url enables hacker to access server almost like via ssh. It allows to execute SQL queries, for example to add new administrator, or even truncate all tables.

[Zachery]

Still requires sending someone semi-privileged to view the malicious code, and that the user has access to do the things outlined.

I'd like to point out, you can restrict access to other admins changing other admins account via the config.php file, as well as locking down admin permisions via a super admin.

[Max Taxable]

The XSS script is multistage based on what the user's session is currently capable of.

Seems like requiring the security token for this POST action stops this cold.

[create365]

Originally Posted by Zachery

Still requires sending someone semi-privileged to view the malicious code, and that the user has access to do the things outlined.

Well, that is the easiest part.

[TheLastSuperman]

I've ran into this before even was worried about it back in September remember that pm I sent you Zachery? It was related to this the exploit I thought was out there but could not confirm.

What they are doing is base64 encoding the plugins so hard to tell what exactly it's doing... it's always 3-4 plugins and 3/4 prompt virus alerts from your software (which c99 madshell does so if the shell script was not on the local server then zing you guessed it, they connected to it remotely via the plugin i.e. the anti-virus alert). Basically instead of now uploading c99madshell directly onto the server they are trying to exploit, they simply modified it and uploaded to their own server - after that the plugin connects to c99 madshell and they execute what they wish from their own server through your site via the plugins yet one more reason you don't see all what you wish you did in the logs while trying to figure out what just smacked you silly.

[Digital Jedi]

So your admins should generally be undeletable/unalterable. It's a pain, but it helps.

$7000!?

Seems like all of this could have been avoided if you just used secure passwords.

[findingpeace]

This page says the exploit uses HTML in Announcement Titles... Isn't that exactly what happened here on vBulletin.org?

[Digital Jedi]

I don't see how, if the dev server attack was non-vBulletin related.

[findingpeace]

Originally Posted by Digital Jedi

I don't see how, if the dev server attack was non-vBulletin related.

Check out Post #22 by Paul M here:
http://www.vbulletin.org/forum/showt...=304654&page=2

Maybe I'm putting two and two together incorrectly here, but it seems like these are definitely the same.

[Digital Jedi]

Originally Posted by findingpeace

Check out Post #22 by Paul M here:
http://www.vbulletin.org/forum/showt...=304654&page=2

Maybe I'm putting two and two together incorrectly here, but it seems like these are definitely the same.

As much as I've been on here the last couple of days, I've completely missed that event. I thought you were referring to the attack on the server. I guess test accounts were overlooked during the password change.

[adwolf1]

what about this post --

http://www.vbulletin.com/forum/forum...s-in-vbulletin

so we shouldn't be nervous?

[tbworld]

Make sure you have proper backups and have handled all recommendations. Then go on and enjoy your life. I personally do not have time to deal with conjecture. It seems to me vBulletin is releasing information as they become aware and qualified it. I am good with that.