date : 10/12/2014
cvss : 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) base
cwe : 89
vendor : vBulletin Solutions
product : vBulletin 4
versions affected : latest 4.x (to date); verified <= 4.2.2
* vBulletin 4.2.2 (verified)
* vBulletin 4.2.1 (verified)
* vBulletin 4.2.0 PL2 (verified)
exploitability :
* remotely exploitable
* requires authentication (apikey)
patch availability (to date) : None
vBulletin 4 does not properly sanitize parameters to breadcrumbs_create allowing
an attacker to inject arbitrary SQL commands (SELECT).
risk: rather low - due to the fact that you the api key is required
you can probably use CVE-2014-2023 to obtain the api key
vulnerable component:
./includes/api/4/breadcrumbs_create.php
vulnerable argument:
conceptid
which is sanitized as TYPE_STRING which does not prevent SQL injections.
see https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2022
1) prerequisites
1.1) enable API, generate API-key
logon to AdminCP
goto "vBulletin API"->"API-Key" and enable the API interface, generate key
2) run PoC
edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
provide WWW_DIR which is the place to write the php_shell to (mysql must have permissions for that folder)
Note: meterpreter_bind_tcp is not provided
run PoC, wait for SUCCESS! message
Note: poc will trigger meterpreter shell
meterpreter PoC scenario requires the mysql user to have write permissions
which may not be the case in some default installations.
2014-01-14: initial vendor contact, no response
2014-02-24: vendor contact, no response
2014-10-13: public disclosure
tintinweb - https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2022
(0x721427D8)