You are here

V-173: Plesk 0-Day Vulnerability

June 7, 2013 - 6:00am

Addthis

PROBLEM:

There is a command injection vulnerability in Plesk which is currently being exploited in the wild

PLATFORM:

Plesk versions 8.6, 9.0, 9.2, 9.3, and 9.5.4

ABSTRACT:

The vulnerability is caused due to PHP misconfiguration in the affected application

REFERENCE LINKS:

Seclist.org 
TrendMicro SIB 
isc.sans.edu
Paritynews.com
slashdot.org  

IMPACT ASSESSMENT:

High

DISCUSSION:

The exploit makes use of specially crafted HTTP queries that inject PHP commands. The exploit uses POST request to launch a PHP interpreter and the attacker can set any configuration parameters through the POST request.

The exploit code published calls the PHP interpreter directly with allow_url_include=on, safe_mode=off and suhosin.simulation=on arguments. The allow_url_inlcude argument allows a remote attacker to include any PHP script and “suhosin.simulation” and and is used to put into simulated mode, which results in reduced protection.

Plesk uses a default configuration, scriptAlias/phppath/”/usr/bin/” in Apache which directly calls the /usr/bin directory when an attacker requests for /phppath.

Hence the attacker can easily exploit this vulnerability by calling PHP interpreter with unsafe arguments as follow:

/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on

IMPACT:

This vulnerability is easily exploitable with the exploit code available and successful exploitation can result to complete compromise of the system with web service privileges.

SOLUTION:

Ensure Plesk is patched to latest release version 11

Addthis