Sunday, July 21, 2013

Ubuntu Forums has been pwned!

According to the Ubuntu Forums, the forums has been defaced at 2011 hours on July 20, 2013 (UTC). The defacement page is same as this and the source code of the page is here. It also plays a music too.

Ubuntu Forums also stated that the website's database has been downloaded by attacker and it is also confirmed by the attacker. However, the attacker stated that s/he will not leak the database to the public or take advantage of it.

The Ubuntu Forums use vBulletin PHP software. The forums has been updated or upgraded in the early of this year. According to Exploit Database that the latest exploit is dated on March 25, 2013 (not talking about the exploit in July, 2013 as it is already updated/upgraded). If the update/upgrade is included these bugs fix, there would be no known exploit for the vBulletin in the wild.

However, the forums has looked for PHP developers to assist to implement the OpenID for the forums update/upgrade on January 23, 2012 (please see here).

If the custom changed vBulletin do not have audit or penetration test, it may contain bugs or vulnerabilities. The custom change of vBulletin may lead to the attack success.

I think that the attack technique in this case is SQL Injection.

The forums is still down at the time of this writing (July 21, 2013 1340 UTC).

Remark : please refer to this link for my information gathering.

That's all! See you.

UPDATE : Part 2