【CVE-2019-16759】:pre-auth RCE in vBulletin 5.x

pre-auth RCE in vBulletin 5.x .

https://twitter.com/chybeta/status/1176702424045772800

中文： https://xz.aliyun.com/t/6419

0x01 Summary

https://seclists.org/fulldisclosure/2019/Sep/31

0x02 Analysis

The first parameter routestring tell what template should vBulletin look for.

In the callRender()，$routeInfo[2] will be set as widget_php and $params will contains the render config $widgetCongi[code]

In \core\install\vbulletin-style.xml，we can fidn a template named widget_php

So when $widgetConfig['code'] is not null and the setting disable_php_rendering isn’t disabled, vBulletin will use the following syntax to render template：

{vb:action evaledPHP, bbcode, evalCode, {vb:raw widgetConfig.code}}
{vb:raw $evaledPHP}

In includes\vb5\frontend\controller\bbcode.php , you can find how evalCode defined：

Finally cause PHP-Template injection and pre-auth RCE in vBulletin 5.x。

0x03 Reproduce