Supposed zero-day exploit for Plesk - Update
The hacker known as KingCope has taken to the security mailing list Full Disclosure to publish what seems to be a zero-day exploit for Plesk, the hosting software package made by Parallels. KingCope says that the exploit uses specially prepared HTTP queries to inject PHP commands and that he has successfully tested it on Plesk 9.5.4, 9.3, 9.2, 9.0 and 8.6 on Red Hat, CentOS and Fedora. Version 11.0.9 is apparently not affected.
The hacker seems to have found a way to use a POST request to launch the PHP interpreter with any configuration parameters that an attacker may want; the interpreter can then be made to carry out any command at will. The exploit uses the requested URL to start the interpreter with the desired parameters (say, "safe_mode=off"), and the PHP code that is to be executed is in the data portion of the request. The web server's access log records the request as follows:
POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C
%5F%69%
6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%6
6+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E
+%2D%64+%64%69%73%61%
62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%6
2%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65
%6E%64%5F%66%69%6C%65%
3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 200 203 "-" "Mozill
a/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
According to KingCope, the exploit only works when Plesk has the following configuration:
scriptAlias /phppath/ "/usr/bin/"
This configuration may be the exception rather than the rule, however, as suggested by "David H", who sent a detailed reply to the Full Disclosure mailing list. Still, KingCope should be taken seriously. He is notorious in the security world for publishing several concrete zero-day exploits.
Update (7/6/2013) - Parallels have issued a statement on the issue saying the new exploit is a variant of an old vulnerability's exploit:
This vulnerability is a variation of the long known CVE-2012-1823 vulnerability related to the CGI mode of PHP only in older Plesks. All currently supported versions of Parallels Plesk Panel 9.5, 10.x and 11.x, as well Parallels Plesk Automation, are not vulnerable. If a customer is using legacy, and a no longer supported version of Parallels Plesk Panel, they should upgrade to the latest version. For the legacy versions of Parallels Plesk Panel, we provided a suggested and unsupported workaround described in http://kb.parallels.com/en/113818.
(fab)