×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hacker Publishes Alleged Zero-Day Exploit For Plesk

timothy posted about 10 months ago | from the head-plesk dept.

Security 42

hypnosec writes "KingCope, known for many concrete zero-day exploits, has published yet another zero-day through full disclosure – this time for Plesk, a hosting software package made by Parallels and used on thousands of servers across the web. According to KingCope, Plesk versions 9.5.4, 9.3, 9.2, 9.0 and 9.6 on three different Linux variants Red Hat, CentOS and Fedora are vulnerable to the hack. The exploit, as noted by the hacker, makes use of specially crafted HTTP queries that inject PHP commands. The exploit uses POST request to launch a PHP interpreter and the attacker can set any configuration parameters through the POST request. Once invoked, the interpreter can be used to execute arbitrary commands."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

42 comments

little late (5, Informative)

Anonymous Coward | about 10 months ago | (#43927447)

plesk is currently in ver 11... this would have been big like 2 years ago.

Re:little late (5, Insightful)

Anonymous Coward | about 10 months ago | (#43927557)

plesk is currently in ver 11... this would have been big like 2 years ago.

yet, surprisingly, many companies will still be running those Plesk versions due to laziness, stupidity, ignorance, lack of staff for upgrade, etc. See it every day - or a variation of the same - old software kills.

Re:little late (0)

Anonymous Coward | about 10 months ago | (#43927863)

The problem is that Parallels have a well-established upgrade treadmill, and 9.5.4 was the last "good" (I use that term in the relative sense only) version. The entire of the Plesk 10 series was an utter disaster, and while 11 addressed some of the worst shortfalls, the interface is still awful by comparison and is pretty much best described as "adware you still have to pay for." Hell, even the default domain holding pages display adverts for Parallels "partners."

Re:little late (1)

Jesus_666 (702802) | about 10 months ago | (#43933997)

At my workplace we still use Plesk 9.5. This is because we decided to go with a hosted server instead of one where we actually have any control and that's what the server came with. Since we're dependent on the Plesk API working we've been putting off a proposed update to Plesk 11 for a some time now.

Now, technically Plesk 11 should still speak the same API dialect we use but since Plesk's API isn't exactly stable as it is I can't rule out that arbitrary parts of it may stop working. Since we can't afford to have everyone on standby to catch possible business-breaking Plesk bugs right now we're putting it off until after our current development project.

Of course the proper solution would be to switch to a management console with a more reasonable XML-RPC implementation or to just configure the involved programs directy. Unfortunately we can do neither. (And yes, configuring a dozen different software packages by hand would be easier than dealing with Plesk's API. At least in 9.5 that API is so damn unreliable that I have to go clean up after it at least once a week.)

Re:little late (0)

Anonymous Coward | about 10 months ago | (#43927571)

But I wonder how many hosting providers (and their customers) are still stuck in 2 years ago... ;)

Re:little late (0)

Anonymous Coward | about 10 months ago | (#43930791)

Or stuck in not wanting ads forced down their customers' throats when they upgrade to the newest version.

Re:little late (0)

Anonymous Coward | about 10 months ago | (#43927697)

Point? The company I work for still uses JBoss 4.3

Re:little late (0)

Anonymous Coward | about 10 months ago | (#43928751)

We're on 4.2, though admittedly we took the time to manually apply & recompile for several critical security patches in the embedded Tomcat and run a somewhat customized 4.2.3.

Re:little late (0)

Anonymous Coward | about 10 months ago | (#43928211)

And I'm still dealing with the after effects of a bad Plesk upgrade. It's not the best piece of software, so when it's working, you tend to leave it alone.

Plus, many hosting providers do not provide a license for the upgraded versions. The users tend not to shell out the extra cash to be current.

Re:little late (1)

toygeek (473120) | about 10 months ago | (#43929461)

Have you ever tried upgrading a Plesk installation? I've done it. Its not pretty. Database inconsistencies, accounts that have to be reinstalled, data loss, they're all very real with this pile of poo software. In fact, when I dealt with it we were more likely to build a new version server and migrate customers to it because upgrading the server in place was so prone to failure. There's a reason there are so many old Plesk versions around. It SUCKS.

Re:little late (2)

h4rr4r (612664) | about 10 months ago | (#43929669)

Why not just be a big boy and forgo this hand holding software?

Re:little late (1)

toygeek (473120) | about 10 months ago | (#43930129)

This "big boy" works in the web hosting business where control panels have been a necessity for a long time. A web hosting company without a control panel won't be around very long. My own web server doesn't need a control panel, and sure I can set up a LAMP stack in my sleep, but I'm not hosting just MY website...

Re:little late (1)

cheater512 (783349) | about 10 months ago | (#43931501)

My company went from Plesk -> cPanel but when we moved to a clustered dual-datacenter hosting environment I found rolling my own control panel surprisingly easy.

The trick is not to make the control panel run as root. Make it write the config to a db and let a shell script write all the config files.
Extremely simple (its just a regular PHP web app) and works really nicely. Even done per account bandwidth monitoring, phpmyadmin, aliases, crons, etc...

Re:little late (0)

Anonymous Coward | about 10 months ago | (#43930155)

Probably because it is for the end users, not the hosters. The hosting services don't need this stuff. It is the guy who wants a website that needs an admin panel.

Re:little late (1)

t4ng* (1092951) | about 10 months ago | (#43931705)

Or in the case of one customer I maintain a server for, I thought I would never see them again after the project was completed, and Plesk was the only thing available at the hosting company they insisted on using.

So I configured Plesk so it could only be accessed through the server's private IP address, only opened http and ssh ports on the firewall. So now they can click on one icon to establish a ssh tunnel with https port forwarding to the server's private IP address, then click on a bookmark to open a browser that connects them to the Plesk control panel.

So I don't really care if there is a Plesk exploit, it's never available on a public connection.

Hacker or Researcher? (0)

Anonymous Coward | about 10 months ago | (#43927523)

I'm so confused!

Patch has been developed (-1)

Anonymous Coward | about 10 months ago | (#43927637)

It is available here [microsoft.com]

Re:Patch has been developed (0)

Anonymous Coward | about 10 months ago | (#43927973)

A link to IIS? Yeah, that'll make all your problems go away.

Sensationalist Tripe (5, Insightful)

Anonymous Coward | about 10 months ago | (#43927701)

The kiddie is basically claiming Plesk 9.5.4 and prior are vulnerable to CVE-2012-1823. The problem with this is that in order to take advantage of this "new exploit" the distro has to have not had updates applied (this PHP vulnerability was patched some time ago on all the host distros), Plesk has to be configured to run the site as CGI instead of through mod_php, which isn't the default and isn't even possible on many of the claimed versions, and the path claimed isn't even configured on standard Plesk installs. When presented with these facts, his reponse was basically "you lie", so yeah, why is this suddenly news?

Re:Sensationalist Tripe (4, Interesting)

Zapotek (1032314) | about 10 months ago | (#43927799)

The dude replied to a valid and well-thought-out question with (irrelevant) lyrics from a Greek song. I wouldn't trust him to fill a glass of water, he obviously just wants some attention.

Try again - Re:Sensationalist Tripe (3, Insightful)

TBone (5692) | about 10 months ago | (#43928517)

I just patched this on a half dozen servers yesterday - it's not the CVE vulnerability, it's a Plesk-Apache-PHP configuration exploit.

Plesk installed a PHP-via-CGI configuration that turned an entire directory path into an auto-CGI, and exposed the system path to the php executable. A couple of escape characters later and you had remote shell commands executing via POST.

Re:Try again - Re:Sensationalist Tripe (1)

Anonymous Coward | about 10 months ago | (#43928713)

The configuration of Apache/PHP as described in the exploit, and the attack code itself, is described by CVE-2012-1823.
As the last update for Plesk 9.5.4 came out in April, what exactly was it you thought that you were patching?

Re:Try again - Re:Sensationalist Tripe (1)

ameen.ross (2498000) | about 10 months ago | (#43933819)

Interesting. I (lazily) tested one of our servers for this vulnerability using the script provided, and it wasn't vulnerable. I only later noticed that our Plesk version is not affected.
Did you test yours before patching?

So what? I hate Plesk anyways. (0)

Anonymous Coward | about 10 months ago | (#43927703)

I like to control a server myself by logging directly into it; not by using a 3rd party browser based too.

Plesk is just one more pointless thing I'd have to learn that could be better spent writing code and getting actual work done.

When I setup a VPS or a dedicated server, the first thing I usually do is uninstall Plesk.

Re:So what? I hate Plesk anyways. (1)

Anonymous Coward | about 10 months ago | (#43927773)

If you set it up, why do you have Plesk installed in the first place?

Only 9.0-9.6? (1)

Anonymous Coward | about 10 months ago | (#43927759)

Thank god my hosting provider is till using 8.6.

PHP is a zero-day exploit (0)

Animats (122034) | about 10 months ago | (#43928009)

PHP running with high privileges is an exploit waiting to happen.

Really? (0)

Anonymous Coward | about 10 months ago | (#43928451)

PHP made me a multi-multi millionare

And your point was again?

Re:Really? (1)

gl4ss (559668) | about 10 months ago | (#43928823)

PHP made me a multi-multi millionare

And your point was again?

what's a multi-multi? you have many millions of many millions?

you're Gates, right? I knew windows had to be done on PHP.

Re:PHP is a zero-day exploit (1, Insightful)

TBone (5692) | about 10 months ago | (#43928545)

PHP doesn't need high privileges to zombie a box via bots/scripts downloaded to /tmp or /var/tmp in one POST request, and spawned via a second.

Code or STFU (0)

Anonymous Coward | about 10 months ago | (#43930183)

That's what I thought.

Nonsense (0)

Anonymous Coward | about 10 months ago | (#43928311)

It does not work against Plesk 9.5.4.

PS: There is no Plesk 9.6 at all.

Re:Nonsense (0)

Anonymous Coward | about 10 months ago | (#43928339)

I think it's a typo in the article - it should read 8.6, not 9.6

Response from Parallels (5, Informative)

Parallels (2943753) | about 10 months ago | (#43928803)

This vulnerability is a variation of the long known CVE-2012-1823 vulnerability related to the CGI mode of PHP only in older Plesks. All currently supported versions of Parallels Plesk Panel 9.5, 10.x and 11.x, as well Parallels Plesk Automation, are not vulnerable. If a customer is using legacy, and a no longer supported version of Parallels Plesk Panel, they should upgrade to the latest version. For the legacy versions of Parallels Plesk Panel, we provided a suggested and unsupported workaround described in http://kb.parallels.com/en/113818 [parallels.com].

How about making upgrades actually work? (0)

Anonymous Coward | about 10 months ago | (#43931099)

It's easy to dismiss an installation as "using legacy, and a no longer supported version of Parallels Plesk Panel", until you consider what is actually involved in upgrading or patching Plesk!

At one point we had about 10 different Plesk servers and over the years we went from Plesk 5 through to 10. Point upgrades often failed. Major version updates almost always had serious problems. On occasion the entire Plesk install crapped out and needed to be restored from backups. It was such a laborious and unstable process we specifically avoided upgrading Plesk until we absolutely had to due to bugs or vulnerabilities.

If the updates were more stable we'd have done it regularly. As it was we lived in fear of having to hit that update button.

Having moved to using Virtualmin, which I grant has far fewer features, we've had no problems at all to date.

Paralells charges to submit security issues (5, Interesting)

Anonymous Coward | about 10 months ago | (#43929019)

Paralells has no one to blame but themselves for this being posted publicly.

Having found exploit code published on Pastebin for Plesk through an automated Google alert, I recently attempted to contact Paralells.

I was unable to do so because I'm not a paying customer willing to pay to submit the security issue.

You can read more about this problem over at my blog. http://caffeinesecurity.blogspot.com/2012/12/how-not-to-handle-software.html [blogspot.com]

Re:Paralells charges to submit security issues (-1)

Anonymous Coward | about 10 months ago | (#43930263)

You're a colossal faggot. Why is link to your awful blog modded up. Oh slashdot...

Re:Paralells charges to submit security issues (0)

Anonymous Coward | about 10 months ago | (#43932973)

you are indeed a faggot. the pastebin you captured (http://pastebin.com/tDvyMG9L) is not this vulnerability, but rather a backdoor that will bind a shell on port 31337. learn to read code you fucking newbie

Re:Paralells charges to submit security issues (0)

Anonymous Coward | about 10 months ago | (#43933857)

I don't believe he claims to have found the same exploit, only that when he did find an exploit for Plesk floating in the wild he found it impossible to contact Parallels support to report it. Of course, all the offices have telephone numbers listed for them, it would have been easy to ring one and ask to be directed to someone that could help.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...