Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Plesk 0-day: Real or not?

Published: 2013-06-07
Last Updated: 2013-06-07 01:42:47 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

Yesterday, a poster to the full disclosure mailing list described a possible new 0-day vulnerability against Plesk. Contributing to the vulnerability is a very odd configuration choice to expose "/usr/bin" via a ScriptAlias, making executables inside the directory reachable via URLs.

The big question that hasn't been answered so far is how common this configuration choice is. Appaerently, some versions of Plesk on CentOS 5 are configured this way, but not necessarily exploitable. The exploit is pretty easy to spot. It sends a heavily URL encoded POST request with a "Googlebot" user agent. Google typically doesn't send POST requests, so they are pretty easy to spot. I found a couple POSTS from "Google" (actually a "random" Chinese IP address, 222.187.222.122 ) in our web logs here.

Masquearding as Google is a common trick among exploit scripts. 

Please verify that your Apache configuration does NOT include this line:

 

ScriptAlias /phppath/ "/usr/bin/"

 

Let us know if you spot it in the wild.
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords:
7 comment(s)
Diary Archives