Publicly available attack code exploits remote-code bug in Plesk admin panel.
Hundreds of thousands of websites could be endangered by publicly available attack code exploiting a critical vulnerability in the Plesk control panel. This particular vulnerability gives hackers control of the server it runs on according to security researchers.
The code-execution vulnerability affects default versions 8.6, 9.0, 9.2, 9.3, and 9.5.4 of Plesk running on the Linux and FreeBSD operating systems, a configuration used by more than 360,000 websites. Plesk running on Windows and other types of Unix haven’t been tested to see if those configurations are vulnerable as well. The exploit code was released Wednesday on the Full-Disclosure mailing list by “kingcope,” a pseudonymous security researcher who has frequented the forum for years. He has a proven track record for developing reliable exploits.
“This vulnerability has a high severity rating,” kingcope wrote in an e-mail to Ars. “An attacker can use this exploit to get a command line shell remotely with the privileges of the configured Apache user.”
Representatives of Parallels, the software developer that sells Plesk, didn’t respond to e-mails seeking comment for this post. The fee-based software gives administrators an easy-to-use interface for setting up websites, e-mail servers, databases, and domain name system services.
The vulnerability disclosure comes as tens of thousands of websites running the Apache Web serverhave come under the spell of malicious software that exposes visitors to potent malware attacks. Researchers still don’t know how the exploits, known as both Linux/Cdorked and DarkLeach, are able to take hold, but vulnerabilities in Plesk, Cpanel, and other software used to administer websites is considered one possibility. Kingcope didn’t rule that out, although he said the Apache infections were already cresting before he discovered the Plesk vulnerability.
The critical vulnerability stems from a default setting in Plesk that exposes the entire “/usr/bin” directory to the Internet. The path in Unix-based systems is one of the main locations for powerful executable files that render webpages and connect to databases. Wednesday’s exploit can be used to send commands to binaries based on the PHP programming language that open a command window on the attacker’s computer. From there, the attacker has administrative control over the vulnerable website. An attacker could do things like install malicious Apache modules or create backdoor accounts with such a command shell.
“This is a complete compromise of the machine with privileges of the Web server,” a hacker who goes by the moniker webDEViL told Ars shortly after reviewing the exploit code. “In simple words /usr/bin is being referenced when you call a PHP path.” He said the underlying vulnerability was similar to acritical PHP vulnerability patched last year. Except in the latest case, the PHP interpreter itself is exposed to the outside world.
Kingcope advised Plesk administrators to “uncomment” or remove altogether the Apache configuration entry that exposes the PHP files and then restart the Web server. The line, he said, looks like this:
Without the input from Plesk developers, it wasn’t immediately clear if there are other ways to mitigate the vulnerability until it’s patched. This post will be updated if Parallels officials respond later. In the meantime, Ars readers are invited to leave mitigation suggestions in comments.