Plesk Apache Zero-Day Exploit
On Wednesday, June 5, Kingcope distributed, via the seclists.orgs Full Disclosure website, exploit code for a previously unannounced vulnerability in the Plesk hosting control panel solution. The vulnerability impacted by the release is based on a web server PHP misconfiguration in the Plesk application. Information from Parallels may be found here.
Successful exploitation using the published exploit code has been found to lead to full system compromise through command injection through the PHP interpreter. The PHP interpreter utilizes a parameter of “allow_url_include” that is vulnerable to the injection.
As described by TrendMicro:
Plesk uses a default configuration, scriptAlias/phppath/”/usr/bin/” in Apache which directly calls the /usr/bin directory when an attacker requests for /phppath.
Hence the attacker can easily exploit this vulnerability by calling PHP interpreter with unsafe arguments as follow:
/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on
Kingcode states that the attack has been successfully tested against Plesk versions 8.6, 9.0, 9.2, 9.3 and 9.5.4, but does note that the exploit does not work against the latest version of Plesk.
Due to the availability of the exploit code, the ease of execution and common lack of organizational patching processes, the identified vulnerability is being exploited in the wild. According to vendor, customers utilizing legacy or no-longer-supported versions of the Plesk application, they should implement the latest version of the Plesk application. Multiple solutions for workarounds may be found within the KB article from Parallels.
Organizations that may be impacted by this vulnerability are strongly encouraged to tightly monitor their environments for change until they are able to make the Parallels' recommended changes.