Friday, June 7, 2013

MMD-0000-2013 - Malware Infection Alert on Plesk/Apache Remote Code Execution zeroday vulnerability


This zeroday PoC (thank to KingCope for announcing the zeroday, a great share!) is bringing a huge impact in the worse timing of malware web infection trends, which the botnet via file injection already ITW & spotted (salute to RepoCERT) so we find it necessary to quick posting the vulnerability clarification here (via @unixfreaxjp), and a short memo in here about this threat due to mitigate the infection vector.

The vulnerability impact is a remote flaw of previously detected in PHP's CGI Remote Code Execution of Arbitrary Code (with can be used to trigger flaw of remote file upload) of CVE-2012-1823 (here's the CVE's info link) which can be remotely executed by direct request (ok, to cut the crap: I mean exploitation PoC code via POST command) without using the PHP file as interpreter intact, which is currently severe zeroday flaw that has to be fixed by Plesk panels (the PoC's affected/tested version is 8.6, 9.0, 9.2, 9.3, 9.5.4 and the unaffected version is 11.0.9) in their way of configuring web server with ScriptAlias /phppath/ "/usr/bin/".

To be noted. The malware spotted so far, as per spotted by RepoCERT, are IRC/BOT of these variant which are mostly the script kiddies levels that is having DDoS functionality, with is written the comment traces of Portuguese language inside. It is about time for other serious malware web infection base (like redirector/backdoor) to utilize this flaw for spreading their malware infection links/urls either by exploit kits (or direct) basis, to all of us to please be aware to patch your Plesk panel's version.

As mitigation is advised implement a custom rule to block an unnecessary direct connection via/through IRC ports to remote hots from the affected hosts (Noted: not afected web servers, nor domains, but hosts). For the checking and cleaning purpose RepoCERT is sharing their cleaning & removal script tools here and here.

Malware functionality detected of current spotted samples

Identification of the attacker via IRC channel:

DoS functionality:

Backdoor-1 File send to remote host via IRC:

Backdoor-2 Encoded notification of affected host:

PoC leaked in news links:

The IT news for this zeroday is wide-spreaded before Plesk patch the flaw, many of the news has the pastes of the exploit PoC that can be used to attack the affected Plesk panels, please be aware of this too. Th elink is as per follows:

[1] Ars Technica: More than 360,000 Apache websites imperiled by critical Plesk vulnerability (Updated)
[2] Heise Security: Angeblicher Zero-Day-Exploit für Plesk
WebWereld: Exploit pakt Apache via vers gat in Plesk-beheerpanel
[4] PCWorld: Hacker publishes alleged zero-day exploit for older Plesk versions
[5] Parity News: Hacker publishes alleged zero-day exploit for Plesk
[6] H-Online: Supposed zero-day exploit for Plesk - Update