Plesk 0-Day Exploit

A 0-day vulnerability has been publicly posted which affects older versions of Parallels Plesk software. The author of the exploit included an informational text file which appears indicate public servers have already been exploited. This vulnerability does not affect the latest major version of the software, nevertheless we expect to see widespread exploitation, due to the age of the affected versions — sites still running these versions of Plesk, which should enter End of Life of June 9, are unlikely to be regularly maintained. The vulnerable versions of the Plesk control panel by injecting malicious PHP code, allowing successful attackers to execute arbitrary commands with the privileges of the Apache server userid.

Affected and tested: 9.5.4, 9.3, 9.2, 9.0, 8.0
Affected and tested OS: RedHat, CentOS, Fedora
Affected and tested Platforms: Linux i386, Linux x86_64
Unaffected: 11.0.9 due to compiled in protection of PHP version

POC:

root@server1 [~]# perl /tmp/plesk-simple-ssl.pl  76.12.81.206
HTTP/1.1 200 OK
Date: Thu, 06 Jun 2013 02:43:19 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

3
OK

14
2.6.18-308.24.1.el5

3e
uid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv)

0

The exploit is turning off possible hardening that is in place on the server. The “allow_url_include=on” argument allows the attacker to include arbitrary PHP script. The impact of that is described here.  Next safe_mode is turned off. As a final step Suhosin, a PHP hardening patch, is put into simulation mode. This mode is designed for application testing, and effectively turns off the extra protection (as well as protections against processing PHP script via the php:// URI handler).

 

+http://arstechnica.com/security/2013/06/more-than-360000-apache-websites-imperiled-by-crticial-vulnerability/

Plesk 0-Day Exploit

Leave a Reply

Your email address will not be published. Required fields are marked *

Fork me on GitHub