lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 7 Jun 2013 14:44:56 +0900
From: アドリアンヘンドリック
 <unixfreaxjp22@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Plesk Apache Zeroday Remote Exploit

>* Please keep headers intact.

*

Thank's to King Cope for announcing the PoC which affected Plesk versions
mentioned that's having the PHP's CGI CVE-2012-1823 vulnerability.
Plesk is vulnerable to this flaw disregards on the its php configuration,
and is a must fix.
I suggest Plesk to quick patch this zeroday since a lot of vulnerable
servers already spotted in my territory already with the collection of the
malware injected.

You can use the PHP CGI Argument Injection metasploit modules to reproduce
the flaw:
http://www.metasploit.com/modules/exploit/multi/http/php_cgi_arg_injection
Any mitigation method forCVE-2012-1823 can be used for the temporary
solution, i.e.: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

The details of php flaw itself can be viewed here:
http://www.metasploitminute.com/2012/05/cve-2012-1823-php-cgi-bug.html
reflected into the module source code below:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/php_cgi_arg_injection.rb

The point is how CVE-2012-1823 can still be applied to the vulnerable php
based panels, whether other products are affected or not is worth to check.

Thank's to King Cope for announcing the flaw. To Nicolas Krassas, Bart
Blaze & Larry W Cashdollar, for helping in checking this important flaw.

rgds,

----
Hendrik Adrian
unixfreaxjp@...waremusdie.org

Am 06.06.2013 um 04:28 schrieb Kingcope <isowarez.isowarez.isowarez at
googlemail.com <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>>:

>* Dave ,*>* Again bla bla,*>* Dont Lie!!! I tested and it Works proper !! Tested on Centos Red Hat Debian FreeBSD !! Pure Remote in the Wild !! Better Patch Ur Servers and Check Ur perimeter than Telling lies.*>* *>* Me mixanaki Kai Computer Kai flogera!*>* *>* Cheerio,*>* *>* Kctherookie*

>* *>* From: king cope <isowarez.isowarez.isowarez () googlemail com>*>* Date: Wed, 5 Jun 2013 18:37:38 +0200*>* Please keep headers intact.*>* *>* Engineered by Kingcope*>* *>* Copyright (C)2013 Kingcope*>* Attachment: pleskwwwzeroday.rar*>* _______________________________________________*>* Full-Disclosure - We believe in it.*>* Charter: http://lists.grok.org.uk/full-disclosure-charter.html*>* Hosted and sponsored by Secunia - http://secunia.com/*

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ