Trend Micro identifies zero-day exploitation of Plesk which results in compromised web server

15 June 2013 | In News | 344 views | By

Click & share: 

Trend Micro, líder mundial em safety na nuvem, is tracking an exploration that affects some of the older versions of Plesk, allowing the attacker to completely control a vulnerable server. Plesk is made by Parallels and is a popular web hosting control panel. This vulnerability represents a high risk to all sites hosted on systems that use older versions and without Plesk support. Fortunately, Trend Micro protects its users against this threat via Deep Security.

SegurancaThis is a command injection vulnerability in Plesk the Parallel, that is already being exploited by malicious code. In the last week, the “kingcope” reported for the first time the code to exploit this vulnerability on the mailing list with a wide dissemination. Esta vulnerabilidade é easily explorada com o código já disponível e esse processo, being successful, can lead to complete system compromise with privileges web service. A vulnerabilidade é causada devido a erros de configuração no PHP do application afetado.

Exploit code published invokes directly the PHP interpreter with the argument "allow_url_include = on, safe_mode = off. andsuhosin simulation = on ". The argument "allow_url_inlcude" enables any PHP script is inserted remotely by attacker and the “suhosin. simulation” is used to put the system in simulated mode, o que resulta em protection reduced.

Plesk uses a default configuration, "scriptAlias/phppath/"/usr/bin/", in Apache that evokes the/usr/bin directory when the attacker asks the/phppath.

Like this, the attacker can easily exploit this vulnerability by invoking the PHP interpreter with unsafe arguments like this: /phppath/php?-d allow_url_include = on-d safe_mode = off-d suhosin. simulation = on.

This vulnerability is different from CVE-2012-1823 because the PHP interpreter is being called directly. The author explains this as discloses the code of exploit. Interestingly, the author of the code also provides an SSL version of the farm. He asserts that this feat was tested successfully on versions 8.6, 9.0, 9.2, 9.3 and 9.5.4 the Plesk.

The Kingcope also noted that this exploit does not work with the latest versions of Plesk. As we noted in the incident "Ruby on Rails", not all update their servers regularly or with the latest version for various reasons. Like this, We can see Plesk-based site being affected by this feat in the near future.

According to the supplier, This vulnerability is a variant of another longtime known CVE-2012-1823, related to the CGI mode only for PHP in Plesks oldest. All currently supported versions of Parallels Plesk Panel 9.5, 10.x and x 11, as well as Parallels Plesk Automation, are not vulnerable. If anyone is using the legacy, or an unsupported version of Parallels Plesk Panel, These should upgrade to the latest version. For legacy versions of Parallels Plesk Panel, provide a suggested solution and unsupported described in

For the time being, Trend Micro Deep Security customers are advised to install the latest update DSRU13-018. The following rule of Deep Security addresses the issue: 1005529 – Remote command execution vulnerability PHP for Parallels Plesk

Given the severity of the bug, aconselhamos clientes e todos os other usuários do Plesk a comentar a linha “scriptAlias /phppath/” /usr/bin/” ” de configuração do Apache e habilitar a autenticação nas páginas do painel de controle Plesk. To learn more about how to make their holdings-proof servers, You can read the report Vulnerability monitoring: your servers are operating proof?

In Ivaiporã-PR, Computer engineer, Workgroup Administrator Tips in General. Passionate about technology and Informatics.

A bit about us

    The Group generally appeared in Tips 2007 from innovative ideas on troubleshooting problems faced daily by those who use the technology and computer science, both ordinary users and technicians. But where did, why and what is the purpose of this site?

Click here to read!

Siga o Dicas em Geral no Google+

Video of the week