Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

UPDATED – Vanilla Forums software is still affected by a critical remote code execution zero-day first reported in December 2016.

The popular Vanilla Forums software is still affected by a critical remote code execution zero-day first reported to the development team in December 2016. The exploit code was published by ExploitBox, a remote attacker can chain the flaw with the Host Header injection vulnerability CVE-2016-10073 to execute arbitrary code and take the control of the affected […]

Vanilla Forums

The popular Vanilla Forums software is still affected by a critical remote code execution zero-day first reported to the development team in December 2016.

The exploit code was published by ExploitBox, a remote attacker can chain the flaw with the Host Header injection vulnerability CVE-2016-10073 to execute arbitrary code and take the control of the affected software.

Vanilla Forums

Vanilla Forums is the software mentioned by the popular security researcher Dawid Golunski in the following critical PHPMailer advisories a few months ago:

“The researcher also developed an Unauthenticated RCE exploit for a popular
open-source application (deployed on the Internet on more than a
million servers) as a PoC for real-world exploitation. It might be published after the vendor has fixed the vulnerabilities. ” wrote Golunski.

He has been waiting for a few months before publishing the Vanilla Forums RCE exploit together with the WordPress 4.6 RCE exploit.

 

 

The Vanilla Forums software leverages PHPMailer that uses PHP’s mail() function as its default transport, as explained by the expert.

The mail() function can then be used to call Sendmail and an attacker can inject extra parameters into Sendmail by chaining the flaw with the CVE-2016-10073 vulnerability.

For example:

“Attacker \” -Param2 -Param3″@test.com

when processed by the PHPMailer (and eventually  sent to mail()) function would cause sendmail to execute with:

  • Arg no. 0 == [/usr/sbin/sendmail]
  • Arg no. 1 == [-t]
  • Arg no. 2 == [-i]
  • Arg no. 3 == [-fAttacker\]
  • Arg no. 4 == [-Param2]
  • Arg no. 5 == [-Param3″@test.com]

Dawid Golunski in the ExploitBox post demonstrates how an HTTP 1.0 Web request to the forum will allow code injection down to PHPMailer.

“It should be noted that this vulnerability can still be exploited even if Vanilla software is hosted on Apache web server with several name-based vhosts enabled, and despite not being the default vhost.” wrote Golunski.

“This is possible as the attacker can take advantage of HTTP/1.0 protocol and specify the exact vhost within the URL. This will allow the HOST header to be set to arbitrary value as the Apache server will obtain the SERVER_NAME from the provided URL. This will ensure that the malicious request will reach the affected code despite invalid vhost within the HOST header.”

Below a video PoC of the exploit:

“The exploits and techniques prove that these type of vulnerabilities could be exploited by unauthenticated attackers via server headers such as HOST header that may be used internally by a vulnerable application to dynamically create a sender address.” Golunski told me. “This adds to the originally presented attack surface of contact forms that take user input including From/Sender address.”

These vulnerabilities affect the latest Vanilla Forums stable version 2.3 which unfortunately remains unpatched.

The 0day Vanilla Forums advisories are at:

ExploitBox suggests setting the sender’s address to a static value, in this way it is possible to do not use the HOST header.

Update
The vulnerability was patched as reported in the Vanilla forums.
The issue only open source and none of hosted customers were affected.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Vanilla Forums, hacking)

[adrotate banner=”13″]