Hacker Publishes Alleged Zero-Day Exploit For Plesk

hypnosec writes "KingCope, known for many concrete zero-day exploits, has published yet another zero-day through full disclosure – this time for Plesk, a hosting software package made by Parallels and used on thousands of servers across the web. According to KingCope, Plesk versions 9.5.4, 9.3, 9.2, 9.0 and 9.6 on three different Linux variants Red Hat, CentOS and Fedora are vulnerable to the hack. The exploit, as noted by the hacker, makes use of specially crafted HTTP queries that inject PHP commands. The exploit uses POST request to launch a PHP interpreter and the attacker can set any configuration parameters through the POST request. Once invoked, the interpreter can be used to execute arbitrary commands."

little late

plesk is currently in ver 11... this would have been big like 2 years ago.

Re:little late

plesk is currently in ver 11... this would have been big like 2 years ago.

yet, surprisingly, many companies will still be running those Plesk versions due to laziness, stupidity, ignorance, lack of staff for upgrade, etc. See it every day - or a variation of the same - old software kills.

Sensationalist Tripe

The kiddie is basically claiming Plesk 9.5.4 and prior are vulnerable to CVE-2012-1823. The problem with this is that in order to take advantage of this "new exploit" the distro has to have not had updates applied (this PHP vulnerability was patched some time ago on all the host distros), Plesk has to be configured to run the site as CGI instead of through mod_php, which isn't the default and isn't even possible on many of the claimed versions, and the path claimed isn't even configured on standard Plesk installs. When presented with these facts, his reponse was basically "you lie", so yeah, why is this suddenly news?

Re:Sensationalist Tripe

[Zapotek]

The dude replied to a valid and well-thought-out question with (irrelevant) lyrics from a Greek song. I wouldn't trust him to fill a glass of water, he obviously just wants some attention.

Try again - Re:Sensationalist Tripe

[TBone]

I just patched this on a half dozen servers yesterday - it's not the CVE vulnerability, it's a Plesk-Apache-PHP configuration exploit.

Plesk installed a PHP-via-CGI configuration that turned an entire directory path into an auto-CGI, and exposed the system path to the php executable. A couple of escape characters later and you had remote shell commands executing via POST.

Response from Parallels

[Parallels]

This vulnerability is a variation of the long known CVE-2012-1823 vulnerability related to the CGI mode of PHP only in older Plesks. All currently supported versions of Parallels Plesk Panel 9.5, 10.x and 11.x, as well Parallels Plesk Automation, are not vulnerable. If a customer is using legacy, and a no longer supported version of Parallels Plesk Panel, they should upgrade to the latest version. For the legacy versions of Parallels Plesk Panel, we provided a suggested and unsupported workaround described in http://kb.parallels.com/en/113818.

Paralells charges to submit security issues

Paralells has no one to blame but themselves for this being posted publicly.

Having found exploit code published on Pastebin for Plesk through an automated Google alert, I recently attempted to contact Paralells.

I was unable to do so because I'm not a paying customer willing to pay to submit the security issue.

You can read more about this problem over at my blog. http://caffeinesecurity.blogspot.com/2012/12/how-not-to-handle-software.html