It seems that there's a lot more to the MacRumors story we reported over the weekend, and what's now becoming known is a bit worrying for anyone running vBulletin's forum software and users who contribute to communities that run on it.
Previously, we discussed that tech site MacRumors experienced a database breach which saw 860,000 user accounts taken from its servers, and in the same post, I talked about an email I received straight from vBulletin on the same day, reporting a similar security issue. At the time, it was difficult to surmise what was going on, because no information was posted on the official vBulletin site at all, and nothing could be found on the site's forums.
Today, important information regarding that security issue has begun coming out, and it appears that like MacRumors, the official vBulletin.com forums has had its entire database taken, with the same exploit and team behind both.
According to 'Inj3ct0r Team', the group claiming responsibility for the attacks, the vulnerability it discovered affects both vBulletin 4 and 5. On the group's Facebook, it was said, "We've got upload shell in vBulletin server, [downloaded] database and got root."
After the MacRumors' incident, it was said that the exploiters merely logged into an administrator account and escalated privileges, but based on what Inj3ct0r Team is stating, that doesn't seem to be the case at all. A vBulletin-specific bug is the definite root of the issue, however, and the result is being able to upload a shell script to gain remote access to the Web server. An example of a successful breach using this exploit can be seen below:
As we reported on Saturday, the team behind the attack has seemingly no interest in selling off the accounts it's acquired, or exploit them itself. However, it does appear that some money-making interests are at play, as via the official Inj3ct0r website, an exploit entitled, "vBulletin v4.x.x and 5.?.x Shell Upload / Remote Code Execute (0day)" is being sold for about $7,000.
Up to this point, vBulletin has not released a patch to fix this issue, and it's unclear at this point whether or not the company itself understands the exploit (it'd seem likely that it'd be one of the purchasers of this exploit, unless the company somehow quickly figured out the vulnerability on its own).
What's upsetting about all of this is that this isn't the first time a severe vBulletin vulnerability has become known, and as it appears the hashing algorithm used for the passwords is the rather ancient and vulnerable MD5, one must question the company's weight on security measures.