Plesk 0-day: Real or not?

Plesk 0-day: Real or not?
Yesterday, a poster to the full disclosure mailing list described a possible new 0-day vulnerability against Plesk. Contributing to the vulnerability is a very odd configuration choice to expose "/usr/bin" via a ScriptAlias, making executables inside the directory reachable via URLs. The big question that hasn't been answered so far is how common this configuration choice is. Appaerently, some versions of Plesk on CentOS 5 are configured this way, but not necessarily exploitable. The exploit is pretty easy to spot. It sends a heavily URL encoded POST request with a "Googlebot" user agent. Google typically doesn't send POST requests, so they are pretty easy to spot. I found a couple POSTS from "Google" (actually a "random" Chinese IP address, 222.187.222.122 ) in our web logs here. Masquearding as Google is a common trick among exploit scripts. Please verify that your Apache configuration does NOT include this line: ScriptAlias /phppath/ "/usr/bin/" Let us know if you spot it in the wild. ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Intrusion Detection In-Depth - SANS London May 2021	Johannes 4111 Posts ISC Handler Jun 7th 2013
Thread locked Subscribe	Jun 7th 2013 7 years ago
Botnet using Plesk vulnerability and takedown http://seclists.org/fulldisclosure/2013/Jun/36	Anonymous
Quote	Jun 7th 2013 7 years ago
On a Plesk 10.3-based CentOS 5 system, I instead see the following in /etc/httpd/conf.d/php_cgi.conf so I guess the vulnerable configuration might be an earlier version of Plesk: scriptAlias /phppath/ "/var/www/cgi-bin/cgi_wrapper/"	Steven C. 171 Posts
Quote	Jun 7th 2013 7 years ago
This looks like an (unsuccessful) probe, it is not legitimate traffic: 82.195.239.50 - - [07/Jun/2013:20:34:26 +0100] "GET /phppath/php HTTP/1.0" 404	Steven C. 171 Posts
Quote	Jun 7th 2013 7 years ago
Also seen hitting two other hosts. In each case these probes went to the 'default' HTTP virtual host: 178.79.161.86 - - [07/Jun/2013:07:27:19 +0100] "GET /phppath/php HTTP/1.0" 404 209 178.79.161.86 - - [07/Jun/2013:07:27:19 +0100] "GET /phppath/php HTTP/1.0" 404 209 78.46.64.21 - - [07/Jun/2013:10:15:21 +0000] "GET /phppath/php HTTP/1.0" 404	Steven C. 171 Posts
Quote	Jun 7th 2013 7 years ago
Long-time reader, first-time submitter... My Apache server got the following POST this morning: 70.86.135.250 - - [08/Jun/2013:05:02:19 -0700] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 296 The decoded URL begins with "/phppath/php", so I thought it might be an instance of this Plesk exploit. (The rest of the decoded URL is just gibberish to me; feel free to remove it if it's somehow dangerous, an unpublished PoC or whatnot.) Is it? I don't capture UserAgent so I don't know whether the client was claiming to be GoogleBot; I also don't run any scripting in Apache so the attack was moot in any case. (The source IP seems to belong to ThePlanet.com, in Dallas.)	whurlitzer 13 Posts
Quote	Jun 8th 2013 7 years ago
Indeed, this is the phpbb exploit. The full decode: /phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=input -n so in short, he is trying to turn off various security settings in php, then just use stdin as a default prepend file. (that part if probably in the POST?)	Johannes 4111 Posts ISC Handler
Quote	Jun 9th 2013 7 years ago
Johannes, thanks for confirming that. I don't save the requests, so I can't confirm that there was any further payload there. (I don't even run PHP, or any other Apache modules, so I'm generally pretty amused when I see messages like this in the access log.)	whurlitzer 13 Posts
Quote	Jun 11th 2013 7 years ago