Hacker publishes alleged zero-day exploit for older Plesk versions - mcgaugheytrachattee

A hacker released what he claims is a zero-day exploit for older versions of the Parallels Plesk Panel, a popular Web hosting giving medication package, that could allow for attackers to shoot arbitrary PHP code and execute scalawag commands connected Web servers.

The hacker uses the alias "Kingcope" and has published exploits for unpatched vulnerabilities earlier. He released the new Plesk work cypher Wednesday on the Full Disclosure mailing list.

The hacker claims the exploit was with success tested against Plesk 9.5.4, Plesk 9.3, Plesk 9.2, Plesk 9.0 and Plesk 8.6 used in combination with the Apache Web waiter software on 32-bit and 64-bit Linux distributions including Red Hat, CentOS and Fedora. All the same, Parallels, the Seattle-based companionship that develops Plesk Panel, claims that Plesk 9.5 and later versions are not affected by the exploit.

"This exposure is a variation of the long-dated known CVE-2012-1823 exposure related to the CGI mode of PHP only in experient Plesk [versions]," a Parallels interpreter said Thursday via email. "Every last currently supported versions of Parallels Plesk Empanel 9.5, 10.x and 11.x, besides Parallels Plesk Automation, are not vulnerable."

According to a page on the fellowship's website, version 8 of the product has not been buttressed since September 2012, and Plesk edition 9 will reach end of life Sunday.

Older servers' troubles

Even if the latest versions of the software are not agonistic, widespread exploitation of this vulnerability is still expected to happen because servers running the old and affected versions of Plesk are implausible to be regularly well-kept, said Craig Williams, a threat researcher at Cisco, Wednesday in a blog post.

Williams analyzed the attack computer code released by Kingcope and aforementioned that "the handwriting exploits the vulnerable versions of the Plesk control panel by injecting malicious PHP codification, allowing successful attackers to perform arbitrary commands with the privileges of the Apache server userid."

A mastery executed past the exploit contains several arguments that are supposed to disable security measures mechanisms that might exist on the server, He aforesaid. These include the "allow_url_include=along" statement which allows the aggressor to include absolute PHP code and the "safe_mode=dispatch" argument. "As a final abuse Suhosin, a PHP hardening patch, is put into simulation mode. This mode is designed for application testing, and effectively turns away the extra protection."

If a customer is exploitation a bequest and no longer supported version of Parallels Plesk Panel, they should upgrade to the latest version, the Parallels representative aforesaid. The ship's company already provided a workaround for the CVE-2012-1823 exposure for legacy versions of Plesk, the representative said.

"Those unable to disable the vulnerable version of Plesk or upgrade to more Holocene, unaffected code should consider additional solidification outside of PHP, such as running their Apache instance within a chroot environment or confining access to the Plesk control panel, e.g. via IP ACLs [admittance manipulate lists] surgery HTTP authentication," Roger Williams said.

"Successful using requires a ScriptAlias [configuration] for the php path using Apache's mod_alias," vulnerability management stable Secunia said Thursday in an consultive that rates the exposure as extremely critical. That specific configuration is scriptAlias /phppath/ "/usr/BIN/", reported to Kingcope's exploit notes.

However, it's non clear how commonly this configuration is saved in real world Plesk deployments. Two users who posted responses to Kingcope's email to the Full Disclosure mailing list aforementioned that they couldn't get the exploit to process because they couldn't find the phppath-connected setting on Plesk installations they tried IT on.

Source: https://www.pcworld.com/article/452303/hacker-publishes-alleged-zeroday-remote-code-execution-exploit-for-older-plesk-versions.html

Posted by: mcgaugheytrachattee.blogspot.com