We’re tracking an exploit affecting some of the older versions of Plesk that enables an attacker to fully control a vulnerable webserver. Plesk is made by Parallels and is a popular hosting control panel. This vulnerability means all websites hosted on systems that use older, unsupported versions of Plesk are at risk. Fortunately, Trend Micro protects users from this threat via Deep Security.
This is a command injection vulnerability in Parallel’s Plesk which is currently being exploited in the wild.
Yesterday, “kingcope” first reported the exploit code for this vulnerability on the full-disclosure mailing list. This vulnerability is easily exploitable with the exploit code available and successful exploitation can lead to complete compromise of the system with web service privileges. The vulnerability is caused due to PHP misconfiguration in the affected application.
The exploit code published calls the PHP interpreter directly with allow_url_include=on, safe_mode=off and suhosin.simulation=on arguments. The allow_url_inlcude argument allows a remote attacker to include any PHP script and “suhosin.simulation” and and is used to put into simulated mode, which results in reduced protection.
Plesk uses a default configuration, scriptAlias/phppath/”/usr/bin/” in Apache which directly calls the /usr/bin directory when an attacker requests for /phppath.
Hence the attacker can easily exploit this vulnerability by calling PHP interpreter with unsafe arguments as follow:
/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on
This vulnerability is different from CVE-2012-1823 because the PHP interpreter is being called directly. The author has clarified this along with the exploit code. Interestingly, the author also supplied an SSL version of the exploit. He claims that this exploit was successfully tested on Plesk versions 8.6, 9.0, 9.2, 9.3 and 9.5.4.
Kingcope also noted that this exploit does not work on the latest Plesk versions. As we noted in the Ruby on Rails incident, not everyone updates their servers regularly or with the latest version for varied reason. Thus, we might see Plesk-supported sites being affected by this exploit in the near future.
According to the vendor this vulnerability is a variation of the long known CVE-2012-1823 vulnerability related to the CGI mode of PHP only in older Plesks. All currently supported versions of Parallels Plesk Panel 9.5, 10.x and 11.x, as well Parallels Plesk Automation, are not vulnerable. If a customer is using legacy, and a no longer supported version of Parallels Plesk Panel, they should upgrade to the latest version. For the legacy versions of Parallels Plesk Panel, we provided a suggested and unsupported workaround described in http://kb.parallels.com/en/113818.
For the meantime, Trend Micro Deep Security customers are advised to update to the latest update DSRU13-018. The following Deep Security rule addresses the issue.
- 1005529 – Parallels Plesk Remote PHP Command Execution Vulnerability
Given the severity of the bug we advise customers and all Plesk users to comment the scriptAlias /phppath/” /usr/bin/” line from the Apache configuration and enable authentication on the Plesk control panel pages. To learn more about how to make your servers exploit-proof, you may read our full paper Monitoring Vulnerabilities: Are Your Servers Exploit-Proof?.