CVE-2020-13166: myLittleAdmin vulnerability

Follow

Comments

10 comments

  • Avatar
    Iman GM

    I guess I'm the first victim of this exploit... One of my servers was hacked a few hours ago. Attacker uploaded a file named psf.exe in c:\tmp. File owner is IUSRPLESK_sqladmin. Created an account administrators, disabled firewall and ... 

    I was lucky that I was monitoring the server and I didn't lose any data. This is serious.

    2
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Iman GM

    Glad to hear that you've avoided the bigger impact.

    Thank you for sharing your user experience.

    0
    Comment actions Permalink
  • Avatar
    Sysadmins

    Hello,

    you can also use Command Line to fastly uninstall mylittleadmin component:

    C:\ParallelsInstaller\parallels_installer_Microsoft_6.3_x86_64_3.22.14.exe --remove-component mylittleadmin

    Remember to modify the installer name related to the installer version/path

    Good luck

    0
    Comment actions Permalink
  • Avatar
    Tim Aplin

    Hi Team,

    I have tested on one of my servers - Generating a new Machine Key in IIS appears to resolve this exploit - steps to reproduce:

    Install Server 2016 Standard (Desktop experience) for the OS on blank VM

    Add IIS feature, including .net support

    Copy existing MLT/MLA/MLB installation, place in the C:\inetpub\wwwroot

    Confirm access to the MLA instance from location where the Python exploit will be run from

    Run the Python Exploit (courtesy of https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/), verify that the Windows Calculator is running

    Go into IIS > Machine Keys > Generate new Key > Apply

    IISreset

    Re-run the Python Exploit – verify that the Windows Calculator is not running.

    Login to MLA and test that the functionality is all working, rather than removing MyLittleAdmin, if Plesk could release an update that forces IIS to generate a new Machine Key, this should be a simple fix

    0
    Comment actions Permalink
  • Avatar
    Bax

    Hi There

    I am unable to do any changes. I have followed your instructions and when I click on Updates and Upgrades, it takes me to a new tab where I can see the Plesk updater, but the ADD/REMOVE options are greyed out. Any help here? Thanks

    0
    Comment actions Permalink
  • Avatar
    Anton Maslov

    Tim Aplin thank you for sharing your tests results. Basically it is enough just to remove machineKey like article suggests without generating it again. We plan to deliver automatic fix in upcoming update for MyLitteltAdmin in Plesk.

    0
    Comment actions Permalink
  • Avatar
    Anton Maslov

    Bax try run update with command line:

    plesk intsaller --console

    Or just remove machine keys, it is also "close" the vulnerability.

    0
    Comment actions Permalink
  • Avatar
    itcs

    Thanx for the heads up. We removed the machine key from our windows plesk servers' MyLittleAdmin. Using the MS Management Studio instead is not an option, as we don't provide direct access to our DB servers from the internet.

    0
    Comment actions Permalink
  • Avatar
    Sys

    Is it still?

    Does plesk/mylittleAdmin work on a solution or another tool? 

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello!

    itcs

    Thank you for sharing.

    Sys

    The workaround will be implemented for Plesk installations automatically for the following Plesk versions:

    Plesk Obsidian:

    Since 18.0.28 (already available)

    Plesk Onyx, the workaround will be available in nearest micto updates for 17.5 and 17.8:

    17.8: MU#89
    17.5: MU#95
    17.0: will be available later

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request