OpenSUSE forums hack raises vBulletin zero-day exploit possibility

A compromise of the community forums for the openSUSE Linux distribution Tuesday sparked concern that hackers have access to a previously unknown exploit for the popular vBulletin Internet forum software.


A compromise of the community forums for the openSUSE Linux distribution Tuesday sparked concern that hackers have access to a previously unknown exploit for the popular vBulletin Internet forum software.

The attack resulted in hackers replacing some pages on the website and gaining access to the site's user database. The forums had almost 80,000 registered members at the time of the compromise.

The hacker responsible for the breach reportedly told The Hacker News that he used a private zero-day exploit for vBulletin, the software powering the site, to upload a PHP shell backdoor that allowed him to browse, read and write files on the server.

The possibility that hackers have access to a zero-day exploit for vBulletin is concerning, since the software powers very large forum sites, including some that have been targeted in the past like MacRumors with 867,000 members and with 1.9 million members.

According to vBulletin Solutions, the software's developer, over 100,000 community websites are running on vBulletin, including some operated by Zynga, Electronic Arts, Sony Pictures, NASA, Valve Corporation and other well known companies.

A statement from the openSUSE site maintainers Tuesday appeared to confirm the hacker's claim: "A cracker managed to exploit a vulnerability in the forum software which made it possible to upload files and gave access to the forum database," the openSUSE team said. "As the exploit is in the forum software we use and there are no known fixes or workarounds we have decided to take the forums offline for now, until we have found a solution."

The openSUSE team noted that even though the hacker got access to the user database, no access credentials, hashed or otherwise, were compromised. That's because the site uses an external single-sign-on (SSO) system for all of its services.

"This is a completely separate system and it has not been compromised by this crack," the team said. "What the cracker reported as compromised passwords were indeed random, automatically set strings that are in no way connected to your real password."

However, the hacker did obtain user email addresses that were stored in the database for convenience.

"Although we have not confirmed this with the vBulletin developers, I am inclined to believe the claim that this is a zero-day exploit," said Matthew Ehle, an openSUSE representative, via email. "We were one patch level behind the current release, but I have not seen anything that indicates that the latest patch would have prevented an attack of this nature."

The openSUSE forums site used the vBulletin 4.x branch of the software, which is still supported, but the hacker claimed the exploit also affects the latest version of vBulletin 5.x. At this time the latest versions of vBulletin are 4.2.2 and 5.0.5.

"The vulnerability was a remote file inclusion which allowed the attacker to open a shell into the forums Web system," Ehle said. "He used this shell to set up the page and dump the database."

VBulletin Solutions posted a security advisory Friday about a vulnerability in a third-party component called uploader.swf that's part of the Yahoo User Interface (YUI) library included in vBulletin 4.

Yahoo does not plan to fix the vulnerability because it affects only YUI versions 2.5.0 through 2.9.0, which are no longer supported. As a result, vBulletin Solutions advised users to replace the uploader.swf with a dummy file of the same name, which forces vBulletin installations to fall back to an alternative JavaScript-based uploader.

It's not clear if this is the vulnerability that led to the openSUSE forum compromise. According to the Yahoo advisory, the uploader.swf vulnerability is a cross-site scripting (XSS) one that allows the injection of arbitrary JavaScript.

This vulnerability does not allow arbitrary file uploads to the vBulletin site on its own, said Daniel Cid, chief technology officer at Web security firm Sucuri, via email. However, it could have been used together with social engineering or phishing to get access to a moderator or admin account and then upload a backdoor shell, he said.

Find your next job with computerworld UK jobs