Plesk Zero-Day Exploit Results in Compromised Webserver
We’re tracking a zero-day exploit affecting a still unpatched vulnerability in Plesk that enables an attacker to fully control a vulnerable webserver. Plesk is made by Parallels and is a popular hosting control panel. This vulnerability means all websites hosted on systems that use Plesk are at risk. This spells trouble not only for web administrators, but for common Internet users who transact or simply browse sites supported by Plesk. Fortunately, Trend Micro protects users from this threat via Deep Security.
There is a command injection vulnerability in Parallel’s Plesk which is currently being exploited in the wild. Currently, there are more than 36,000 websites using certain Plesk configuration, as can be easily seen on the shodan search engine.This number alone is foretelling of what can happen if attackers use the said exploit in their schemes.
Yesterday, “kingcope” first reported the exploit code for this vulnerability on the full-disclosure mailing list. This vulnerability is easily exploitable with the exploit code available and successful exploitation can result to complete compromise of the system with web service privileges. The vulnerability is caused due to PHP misconfiguration in the affected application.
The exploit code published calls the PHP interpreter directly with allow_url_include=on, safe_mode=off and suhosin.simulation=on arguments. The allow_url_inlcude argument allows a remote attacker to include any PHP script and “suhosin.simulation” and and is used to put into simulated mode, which results in reduced protection.
Plesk uses a default configuration, scriptAlias/phppath/”/usr/bin/” in Apache which directly calls the /usr/bin directory when an attacker requests for /phppath.
Hence the attacker can easily exploit this vulnerability by calling PHP interpreter with unsafe arguments as follow:
/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on
This vulnerability is different from CVE-2012-1823 because the PHP interpreter is being called directly. The author has clarified this along with the exploit code. Interestingly, the author also supplied an SSL version of the exploit. This exploit affects Plesk versions 8.6, 9.0, 9.2, 9.3, and 9.5.4.
Kingscope also noted that this exploit does not work on the latest Plesk versions. Though the exploit works on older versions, this does not lessen the impact of the exploit. As we noted in the Ruby on Rails incident, not everyone updates their servers regularly or with the latest version for varied reason. Thus, we might see Plesk-supported sites being affected by this exploit in the near future.
There is no official response or advisory from Parallels, the deveopers of Plesk, on this vulnerability. We expect to see one soon and will update this entry for any developments.
For the meantime, Trend Micro Deep Security customers are advised to update to the latest update DSRU13-018. The following Deep Security rule addresses the issue.
- 1005529 – Parallels Plesk Remote PHP Command Execution Vulnerability
Given the severity of the bug we advise customers and all Plesk users to comment the scrptAlias/phppath/”/usr/bin/” line from the Apache configuration and enable authentication on the Plesk control panel pages. To learn more about how to make your servers exploit-proof, you may read our full paper Monitoring Vulnerabilities: Are Your Servers Exploit-Proof?.