“Write anywhere” vulnerability in Parallels Confixx

A proof of concept of a vulnerability in Parallels Confixx 3.3.9 (latest and final version) allowing an attacker to gain full write access (as root) to a UNIX server operating said hosting software.

Preface

There is a hotfix available that mitigates the issue.

Sadly, however, I didn’t get my brownie points 🙁

The vulnerability

Parallels Confixx is a German-developed web hosting control panel and a product acquired by SWsoft. It is used to administer UNIX- or Windows-Servers allowing to host and set up multiple domains belonging to different users (“web-accounts”). This software, however, isn’t developed on any further; its replacement is the wider known Parallels Plesk Panel.

In order to provide users their own statistics regarding access to their web-site, a global CustomLog is set up in Apache’s configuration. The custom log handler’s target is a pipe to a perl script (pipelog.pl):

# file is /etc/apache2/confixx_vhost.conf

LogFormat "%V:#:%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" confixx
CustomLog |/root/confixx/pipelog.pl confixx

The pipe is opened by Apache during start-up and remains open the whole time; it’s a process spawned with root-privileges. The contents of the file are as follows:

#!/usr/bin/perl
###### Confixx-Apache-PipeLog
## zum Loggen der Webzugriffe pro User
########## erstellt am Wed Jan  6 02:30:00 1982 ###
$logDir = "/var/log/apache2/confixx/domains/access";
$stdLog = "/var/log/apache2/confixx/stdlog_access";
while(){
  ($domain, $log) = split(/:#?:/, $_, 2);
  $domain = lc($domain);
  $logfile = "$logDir/$domain";
  $worked = 0;
  if(-l $logfile){
    $target = readlink($logfile);
    unless(-l $target){
      if(open(LOG, ">>$logfile")){
        print LOG $log;
        close(LOG);
        $worked=1;
      }
    }
  }
  unless($worked){
    open(LOG, ">>$stdLog") or next;
    print LOG "$domain :: $log";
    close(LOG);
  }

}

The vulnerability’s culprit is the %V formatter of the LogFormat directive, which according to the docs means “The server name according to the UseCanonicalName setting.”

This “server name”, however, will be nothing else but whatever the connecting client provides in the HTTP request’s Host field (given a set of certain pre-conditions; see Why is HTTP_HOST evil?).

Proof of concept

I stipulate, that, given a forged request, one can obtain full write access to a (UNIX) server running on Confixx.

The request would have to look like this:

GET / HTTP/1.1
Host: ../../../../../../root/confixx/counter_script.pl
User-Agent: Something

Through careless concatenation of the assumed domain name with a pre-defined path (line 10 of the code above), the actual file $logfile points to is now:

/var/log/apache2/confixx/domains/access/../../../../../../root/confixx/counter_script.pl

Which conveniently maps to /root/confixx/counter_script.pl which is a symlink pointing to another Perl script in the same directory called confixx_updatescript.pl. The exploit’s target file actually needs to be a symlink (line 12) for it to work. The intended access log line will now be appended to the file the symlink is pointing to.

The vulnerability’s effects

This post’s headline is “Write anywhere vulnerability” because it would be theoretically possible (given a non-privileged account on the target machine) to highjack the entire box by creating an own symlink that points to a file in, let’s say /etc/cron.daily of which we know that it’s executable and most likely a shell script and append it accordingly…

I haven’t gone to full lengths as to which extent this is actually useful; still there’s the undeniable possibility of at least “wrecking” a server running Confixx by appending useless stuff to symlink targets in e.g. /usr/bin/ and thus breaking vital system executables. Thus, this would probably classify as a DOS vulnerability.

Plus, there are two more vectors at the attacker’s disposal, both of which are “user defined” request headers (User-Agent and Referer) and are appended to the target file.

Updates

The following are conversations with a member of Parallels, Inc. support staff who shall be called “Samuel” henceforth for obvious privacy reasons.

October 11th, 2012

Reported issue to Confixx Support Team of Parallels Inc.

Outbound:

Dear Sir or Madam,

I’ve been referred to this address by EMEA Sales Headquarters, Munich to report my issue.

I found a security issue in Parallels Confixx 3.3.9 (Unix) with which one gains full (root) write access to the server’s file system. I understand Confixx has reached its end of lifetime and will not be developed on any further. The issue, however, should be part of a hotfix.

Kindly have the department in charge of these kinds of issues contact me.

Kind regards,
Oliver Schieche

Inbound:

Note: “Samuel” steps in to answer my mail. Though his signature shows him to be a “sales person”, he is the only contact I had in dealing with the issue. Actually, there was a previous mail from “Samuel” asking me to explain the issue in detail. This mail isn’t quoted here, since it’s irrelevant. In it, though, I stated the link to this post and the password. This was the reply:

Hello Oliver,

thank you for the forwarding the problem.
I have forwarded the problem to our developers. Please don’t change the password to your post.
I will keep you updated.

Mit freundlichen Grüßen / Best Regards,

--

Samuel
Sales Engineer
Parallels

October 26th, 2012

Received feedback from “Samuel”: they fixed the issue.

Hi Oliver,

we solved the issue. Please find attached the new pipelog.pl

Mit freundlichen Grüßen / Best Regards,
--
Samuel
Sales Engineer
Parallels

Knowledge Base: http://kb.parallels.com

I asked when I could publish this article pending an official statement of Parallels Inc. concerning the issue.

Outbound:

Hi Samuel,

thanks for the update. When will this fix be deployed? I’d like to publish my post, but not without properly linking to a solution…

Inbound:

Hello Oliver,

We are going to publish an article. But when this article will be published I don’t know unfortunately.

Best Regards, Samuel

March 19th, 2013

Trying to get an update on things

Hello Parallels Support Team,

a long time has passed since our last correspondence regarding the security issue, but I haven’t heard of you since. Is there an advisory or any such thing I can update my post with to publish it?

Regards,
Oliver Schieche

March 28th, 2013

Received last mail from “Samuel”: the issue was posted in their KB.

Hello Oliver,

We have published it:

http://kb.parallels.com/en/115857

Best Regards, Samuel