A compromise of the community forums for the openSUSE Linux distribution Tuesday sparked concern that hackers have access to a previously unknown exploit for the popular vBulletin Internet forum software.
The attack resulted in hackers replacing some pages on the forums.opensuse.org website and gaining access to the site’s user database. The forums had almost 80,000 registered members at the time of the compromise.
The hacker responsible for the breach reportedly told The Hacker News that he used a private zero-day exploit for vBulletin, the software powering the site, to upload a PHP shell backdoor that allowed him to browse, read and write files on the server.
The possibility that hackers have access to a zero-day exploit for vBulletin is concerning, since the software powers very large forum sites, including some that have been targeted in the past like MacRumors with 867,000 members and UbuntuForums.org with 1.9 million members.
According to vBulletin Solutions, the software’s developer, over 100,000 community websites are running on vBulletin, including some operated by Zynga, Electronic Arts, Sony Pictures, NASA, Valve Corporation and other well known companies.
A statement from the openSUSE site maintainers Tuesday appeared to confirm the hacker’s claim: “A cracker managed to exploit a vulnerability in the forum software which made it possible to upload files and gave access to the forum database,” the openSUSE team said. “As the exploit is in the forum software we use and there are no known fixes or workarounds we have decided to take the forums offline for now, until we have found a solution.”
The openSUSE team noted that even though the hacker got access to the user database, no access credentials, hashed or otherwise, were compromised. That’s because the site uses an external single-sign-on (SSO) system for all of its services.
”This is a completely separate system and it has not been compromised by this crack,” the team said. “What the cracker reported as compromised passwords were indeed random, automatically set strings that are in no way connected to your real password.”
However, the hacker did obtain user email addresses that were stored in the database for convenience.
”Although we have not confirmed this with the vBulletin developers, I am inclined to believe the claim that this is a zero-day exploit,” said Matthew Ehle, an openSUSE representative, via email. “We were one patch level behind the current release, but I have not seen anything that indicates that the latest patch would have prevented an attack of this nature.”
The openSUSE forums site used the vBulletin 4.x branch of the software, which is still supported, but the hacker claimed the exploit also affects the latest version of vBulletin 5.x. At this time the latest versions of vBulletin are 4.2.2 and 5.0.5.
”The vulnerability was a remote file inclusion which allowed the attacker to open a shell into the forums Web system,” Ehle said. “He used this shell to set up the page and dump the database.”
VBulletin Solutions posted a security advisory Friday about a vulnerability in a third-party component called uploader.swf that’s part of the Yahoo User Interface (YUI) library included in vBulletin 4.
Yahoo does not plan to fix the vulnerability because it affects only YUI versions 2.5.0 through 2.9.0, which are no longer supported. As a result, vBulletin Solutions advised users to replace the uploader.swf with a dummy file of the same name, which forces vBulletin installations to fall back to an alternative JavaScript-based uploader.
It’s not clear if this is the vulnerability that led to the openSUSE forum compromise. According to the Yahoo advisory, the uploader.swf vulnerability is a cross-site scripting (XSS) one that allows the injection of arbitrary JavaScript.
This vulnerability does not allow arbitrary file uploads to the vBulletin site on its own, said Daniel Cid, chief technology officer at Web security firm Sucuri, via email. However, it could have been used together with social engineering or phishing to get access to a moderator or admin account and then upload a backdoor shell, he said.
”After the attack, we removed the uploader.swf file as a precaution,” Ehle said. “I am not sure if this was the vulnerability that was exploited, but it seems consistent with how the system was compromised. However, it is entirely possible that another, unknown, vector was used.”
VBulletin Solutions did not respond to an inquiry seeking information on whether it is aware of a different exploit in the software.
In the meantime, Ehle has some recommendations for other vBulletin site administrators.
”Be strict in your file permissions,” he said. “In our system, only the sitemap directories were writable by the web server, which is why only that portion of the site was altered,” he said.
The remote Web shell was uploaded in the only writable directories suggesting that tight file and directory permissions make the exploit much harder to execute, he said. “If you need legitimate file uploads and sitemap generation to work, allow writing to only those directories and set your web server to not execute PHP files in them,” he said.
Ehle also suggested using an alternative authentication system. The default one in vBulletin still uses MD5-based password hashing, which is inexcusable by today’s standards, according to Ehle.
The fact that openSUSE’s forums site used an external single sign-in system—except for a few administrative accounts whose passwords have since been reset—prevented the breach from being much worse, he said.
This is not the first time that the openSUSE forums were compromised as a result of a vBulletin exploit.
”We had a very similar breach last summer by the same attacker,” Ehle said. “It was also from a very new exploit, so this individual seems to have a very good understanding of vBulletin software and security.”
The new incident prompted the openSUSE site maintainers to look into alternative Internet forum platforms.
”VBulletin provides some highly functional software, which is of course why it is so popular,” Ehle said. “However, for some time I have had a number of concerns about the architecture and security of their software, and I believe the incidents that we have had and what others have experienced are beginning to confirm that.”