Plesk 0-day Remote Vulnerability in the Wild

Just last week another 0-day vulnerability on Plesk was released. It affects Plesk 9.2, 9.3 and 9.5.4 versions. If you have not yet, we recommend that you update Plesk immediately.

Note: In our latest analysis of servers with the Apache binaries or modules compromised (DarkLeech or Cdorked.A), Plesk is often one of the entry points.

Technical Analysis

The exploit was released last week by Kingcope with a sample exploit to “test” if a server is vulnerable. The vulnerability comes from this Plesk configuration:

scriptAlias /phppath/ “/usr/bin/”

This allows any one to execute the PHP interpreter. Upon calling the PHP binary, they can pass commands very similarly to the CVE-2012-1823 (PHP CGI bug):

/phppath/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=””+-d+open_basedir=none+-d+auto_prepend_file=php://input+-n

This permits the attackers to inject and run any command as the user Apache. Due to the severity, we either recommend removing the vulnerable configuration (grep for phppath) or updating to the latest version of Plesk.

In the wild

And yes, we are seeing this vulnerability being probed in the wild already, either by searching for phppath/php or already trying to exploit it:

80.248.x.y – – [10/Jun/2013:23:58:29 -0400] “GET /phppath/php HTTP/1.1” 302 154 “-” “libwww-perl/5.813”

91.224.x.y – – [10/Jun/2013:23:59:58 -0400] “POST /phppath/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2f%2finput+-n HTTP/1.1”

.. along with many other requests for similar files

We will update with more details as we keep tracking this vulnerability.