Plesk 0-day Remote Vulnerability in the Wild

Just last week another 0-day vulnerability on Plesk was released. It affects Plesk 9.2, 9.3 and 9.5.4 versions. If you have not yet, we recommend that you update Plesk immediately.

Note: In our latest analysis of servers with the Apache binaries or modules compromised (DarkLeech or Cdorked.A), Plesk is often one of the entry points.

Technical Analysis

The exploit was released last week by Kingcope with a sample exploit to “test” if a server is vulnerable. The vulnerability comes from this Plesk configuration:

scriptAlias /phppath/ “/usr/bin/”

This allows any one to execute the PHP interpreter. Upon calling the PHP binary, they can pass commands very similarly to the CVE-2012-1823 (PHP CGI bug):

/phppath/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=””+-d+open_basedir=none+-d+auto_prepend_file=php://input+-n

This permits the attackers to inject and run any command as the user Apache. Due to the severity, we either recommend removing the vulnerable configuration (grep for phppath) or updating to the latest version of Plesk.

In the wild

And yes, we are seeing this vulnerability being probed in the wild already, either by searching for phppath/php or already trying to exploit it:

80.248.x.y – – [10/Jun/2013:23:58:29 -0400] “GET /phppath/php HTTP/1.1″ 302 154 “-” “libwww-perl/5.813″

91.224.x.y – – [10/Jun/2013:23:59:58 -0400] “POST /phppath/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2f%2finput+-n HTTP/1.1″

.. along with many other requests for similar files

We will update with more details as we keep tracking this vulnerability.

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

  • http://www.y8u.org/ Y8

    the useful information, i like it. i can follow it to do my task in the next course

  • http://www.mercubuana.ac.id/ ryditya909

    thanks for POC