A 0-day vulnerability has been publicly posted which affects older versions of Parallels Plesk software. The author of the exploit included an informational text file which appears indicate public servers have already been exploited. This vulnerability does not affect the latest major version of the software, nevertheless we expect to see widespread exploitation, due to the age of the affected versions — sites still running these versions of Plesk, which should enter End of Life of June 9, are unlikely to be regularly maintained. The vulnerable versions of the Plesk control panel by injecting malicious PHP code, allowing successful attackers to execute arbitrary commands with the privileges of the Apache server userid.
Affected and tested: 9.5.4, 9.3, 9.2, 9.0, 8.0 Affected and tested OS: RedHat, CentOS, Fedora Affected and tested Platforms: Linux i386, Linux x86_64 Unaffected: 11.0.9 due to compiled in protection of PHP version
root@server1 [~]# perl /tmp/plesk-simple-ssl.pl 22.214.171.124 HTTP/1.1 200 OK Date: Thu, 06 Jun 2013 02:43:19 GMT Server: Apache/2.2.3 (CentOS) Connection: close Transfer-Encoding: chunked Content-Type: text/html 3 OK 14 2.6.18-308.24.1.el5 3e uid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv) 0
The exploit is turning off possible hardening that is in place on the server. The “allow_url_include=on” argument allows the attacker to include arbitrary PHP script. The impact of that is described here. Next safe_mode is turned off. As a final step Suhosin, a PHP hardening patch, is put into simulation mode. This mode is designed for application testing, and effectively turns off the extra protection (as well as protections against processing PHP script via the php:// URI handler).