• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Critical Plesk vulnerability

SalvadorS

Regular Pleskian
Anybody knows how to fix this?

Hundreds of thousands of websites could be endangered by publicly available attack code exploiting a critical vulnerability in the Plesk control panel. This particular vulnerability gives hackers control of the server it runs on according to security researchers.

The code-execution vulnerability affects default versions 8.6, 9.0, 9.2, 9.3, and 9.5.4 of Plesk running on the Linux and FreeBSD operating systems, a configuration used by more than 360,000 websites. Plesk running on Windows and other types of Unix haven't been tested to see if those configurations are vulnerable as well. The exploit code was released Wednesday on the Full-Disclosure mailing list by "kingcope," a pseudonymous security researcher who has frequented the forum for years. He has a proven track record for developing reliable exploits.

"This vulnerability has a high severity rating," kingcope wrote in an e-mail to Ars. "An attacker can use this exploit to get a command line shell remotely with the privileges of the configured Apache user."

Representatives of Parallels, the software developer that sells Plesk, didn't respond to e-mails seeking comment for this post. The fee-based software gives administrators an easy-to-use interface for setting up websites, e-mail servers, databases, and domain name system services.

The vulnerability disclosure comes as tens of thousands of websites running the Apache Web server have come under the spell of malicious software that exposes visitors to potent malware attacks. Researchers still don't know how the exploits, known as both Linux/Cdorked and DarkLeach, are able to take hold, but vulnerabilities in Plesk, Cpanel, and other software used to administer websites is considered one possibility. Kingcope didn't rule that out, although he said the Apache infections were already cresting before he discovered the Plesk vulnerability.

The critical vulnerability stems from a default setting in Plesk that exposes the entire "/usr/bin" directory to the Internet. The path in Unix-based systems is one of the main locations for powerful executable files that render webpages and connect to databases. Wednesday's exploit can be used to send commands to binaries based on the PHP programming language that open a command window on the attacker's computer. From there, the attacker has administrative control over the vulnerable website. An attacker could do things like install malicious Apache modules or create backdoor accounts with such a command shell.

"This is a complete compromise of the machine with privileges of the Web server," a hacker who goes by the moniker webDEViL told Ars shortly after reviewing the exploit code. "In simple words /usr/bin is being referenced when you call a PHP path." He said the underlying vulnerability was similar to a critical PHP vulnerability patched last year. Except in the latest case, the PHP interpreter itself is exposed to the outside world.

Kingcope advised Plesk administrators to "uncomment" or remove altogether the Apache configuration entry that exposes the PHP files and then restart the Web server. The line, he said, looks like this:

scrptAlias/phppath/"/usr/bin/"
Without the input from Plesk developers, it wasn't immediately clear if there are other ways to mitigate the vulnerability until it's patched. This post will be updated if Parallels officials respond later. In the meantime, Ars readers are invited to leave mitigation suggestions in comments.


Source
 
Just did a quick grep through our shared servers running Plesk 9.5.4 and theres no occurance of the instruction scriptAlias /phppath/ "/usr/bin/" in any of the config files under /etc/httpd.
 
True, but would be nice to get a comment from Parallels on this considering its in mainstream press.
 
Running;

Code:
grep -i "scriptalias /phppath/" $(awk '$1 = /HTTPD_VHOSTS_D/{print $2}' /etc/psa/psa.conf)/*/conf/*
grep -i "scriptalias /phppath/" $(awk '$1 = /HTTPD_INCLUDE_D/{print $2}' /etc/psa/psa.conf)/php_cgi.conf
grep -ir "scriptalias /phppath/" $(awk '$1 = /HTTPD_CONF_D/{print $2}' /etc/psa/psa.conf)*

I can't find any server that is updated to the latest version, that is NOT using the wrappers.


So this entire '0day exploit' consists of either;

1) non-updated Plesk instances
2) failed Plesk upgrades
3) Debian / Ubuntu based installs ?
4) rumours / lies


TL;DR

Nothing to see here, move along, no exploit for 99% of Plesk customers
and no exploit for 100% of Plesk customers who upgrade to latest versions.



And FYI; perl scripts being spawned by PHP have just as much access.
So nothing new here..
 
Last edited:
Back
Top