Forgot your password?
typodupeerror
Security

Hacker Publishes Alleged Zero-Day Exploit For Plesk 42

Posted by timothy
from the head-plesk dept.
hypnosec writes "KingCope, known for many concrete zero-day exploits, has published yet another zero-day through full disclosure – this time for Plesk, a hosting software package made by Parallels and used on thousands of servers across the web. According to KingCope, Plesk versions 9.5.4, 9.3, 9.2, 9.0 and 9.6 on three different Linux variants Red Hat, CentOS and Fedora are vulnerable to the hack. The exploit, as noted by the hacker, makes use of specially crafted HTTP queries that inject PHP commands. The exploit uses POST request to launch a PHP interpreter and the attacker can set any configuration parameters through the POST request. Once invoked, the interpreter can be used to execute arbitrary commands."
This discussion has been archived. No new comments can be posted.

Hacker Publishes Alleged Zero-Day Exploit For Plesk

Comments Filter:
  • little late (Score:5, Informative)

    by Anonymous Coward on Thursday June 06, 2013 @01:37PM (#43927447)

    plesk is currently in ver 11... this would have been big like 2 years ago.

    • Re:little late (Score:5, Insightful)

      by Anonymous Coward on Thursday June 06, 2013 @01:45PM (#43927557)

      plesk is currently in ver 11... this would have been big like 2 years ago.

      yet, surprisingly, many companies will still be running those Plesk versions due to laziness, stupidity, ignorance, lack of staff for upgrade, etc. See it every day - or a variation of the same - old software kills.

      • by Jesus_666 (702802)
        At my workplace we still use Plesk 9.5. This is because we decided to go with a hosted server instead of one where we actually have any control and that's what the server came with. Since we're dependent on the Plesk API working we've been putting off a proposed update to Plesk 11 for a some time now.

        Now, technically Plesk 11 should still speak the same API dialect we use but since Plesk's API isn't exactly stable as it is I can't rule out that arbitrary parts of it may stop working. Since we can't afford
    • by toygeek (473120)

      Have you ever tried upgrading a Plesk installation? I've done it. Its not pretty. Database inconsistencies, accounts that have to be reinstalled, data loss, they're all very real with this pile of poo software. In fact, when I dealt with it we were more likely to build a new version server and migrate customers to it because upgrading the server in place was so prone to failure. There's a reason there are so many old Plesk versions around. It SUCKS.

      • by h4rr4r (612664)

        Why not just be a big boy and forgo this hand holding software?

        • by toygeek (473120)

          This "big boy" works in the web hosting business where control panels have been a necessity for a long time. A web hosting company without a control panel won't be around very long. My own web server doesn't need a control panel, and sure I can set up a LAMP stack in my sleep, but I'm not hosting just MY website...

          • My company went from Plesk -> cPanel but when we moved to a clustered dual-datacenter hosting environment I found rolling my own control panel surprisingly easy.

            The trick is not to make the control panel run as root. Make it write the config to a db and let a shell script write all the config files.
            Extremely simple (its just a regular PHP web app) and works really nicely. Even done per account bandwidth monitoring, phpmyadmin, aliases, crons, etc...

  • by Anonymous Coward on Thursday June 06, 2013 @02:00PM (#43927701)

    The kiddie is basically claiming Plesk 9.5.4 and prior are vulnerable to CVE-2012-1823. The problem with this is that in order to take advantage of this "new exploit" the distro has to have not had updates applied (this PHP vulnerability was patched some time ago on all the host distros), Plesk has to be configured to run the site as CGI instead of through mod_php, which isn't the default and isn't even possible on many of the claimed versions, and the path claimed isn't even configured on standard Plesk installs. When presented with these facts, his reponse was basically "you lie", so yeah, why is this suddenly news?

    • ...why is this suddenly news?

      Nothing else happening, I suppose

    • by Zapotek (1032314) <tasos.laskos@nospAm.gmail.com> on Thursday June 06, 2013 @02:06PM (#43927799) Homepage
      The dude replied to a valid and well-thought-out question with (irrelevant) lyrics from a Greek song. I wouldn't trust him to fill a glass of water, he obviously just wants some attention.
    • by TBone (5692) on Thursday June 06, 2013 @03:07PM (#43928517) Homepage

      I just patched this on a half dozen servers yesterday - it's not the CVE vulnerability, it's a Plesk-Apache-PHP configuration exploit.

      Plesk installed a PHP-via-CGI configuration that turned an entire directory path into an auto-CGI, and exposed the system path to the php executable. A couple of escape characters later and you had remote shell commands executing via POST.

      • by Anonymous Coward

        The configuration of Apache/PHP as described in the exploit, and the attack code itself, is described by CVE-2012-1823.
        As the last update for Plesk 9.5.4 came out in April, what exactly was it you thought that you were patching?

      • Interesting. I (lazily) tested one of our servers for this vulnerability using the script provided, and it wasn't vulnerable. I only later noticed that our Plesk version is not affected.
        Did you test yours before patching?

  • by Anonymous Coward

    Thank god my hosting provider is till using 8.6.

  • PHP running with high privileges is an exploit waiting to happen.

    • Re: (Score:2, Insightful)

      by TBone (5692)

      PHP doesn't need high privileges to zombie a box via bots/scripts downloaded to /tmp or /var/tmp in one POST request, and spawned via a second.

  • by Parallels (2943753) on Thursday June 06, 2013 @03:30PM (#43928803)
    This vulnerability is a variation of the long known CVE-2012-1823 vulnerability related to the CGI mode of PHP only in older Plesks. All currently supported versions of Parallels Plesk Panel 9.5, 10.x and 11.x, as well Parallels Plesk Automation, are not vulnerable. If a customer is using legacy, and a no longer supported version of Parallels Plesk Panel, they should upgrade to the latest version. For the legacy versions of Parallels Plesk Panel, we provided a suggested and unsupported workaround described in http://kb.parallels.com/en/113818 [parallels.com].
  • by Anonymous Coward on Thursday June 06, 2013 @03:47PM (#43929019)

    Paralells has no one to blame but themselves for this being posted publicly.

    Having found exploit code published on Pastebin for Plesk through an automated Google alert, I recently attempted to contact Paralells.

    I was unable to do so because I'm not a paying customer willing to pay to submit the security issue.

    You can read more about this problem over at my blog. http://caffeinesecurity.blogspot.com/2012/12/how-not-to-handle-software.html [blogspot.com]

  • by fazey (2806709)
    way to sit on the exploit long enough for it to no longer matter.

"Show business is just like high school, except you get paid." - Martin Mull

Working...