Summary
A vulnerability has been discovered in Pihole that allows an authenticated user on the platform to read internal server files arbitrarily, and because the application runs from behind, reading files is done as a privileged user.
Details
While investigating the operation of Pihole in depth, it was decided to focus the search for vulnerabilities on the "Update Gravity" function.
Basically, the function performs an update of the list of domains that Pihole will block through a URL added in the "Adslists" section.
Analyzing the code of the "gravity.php" file, we can see that it refers to a file called "gravity.js".
Subsequently, we proceed to analyze the js file, finding that reference is made to another file called "gravity.sh.php", which contains all the operation and logic.
Analyzing said file, it is observed that at the end of the whole there is a loop executing a system level command such as sudo.
To observe the operation of the "-g" argument of Pihole, the gravity.sh file found on Github is analyzed and the investigation is focused on the function "gravity_DownloadBlocklistFromUrl()".
The operation explained in a very basic way is the following: If the URL that is in the list of "Adslists" begins with "file*" it is understood that it is updating from a local file, on the other hand if it does not begin with "file*" depending on the state of the response it does one thing or another.
The problem resides in the update through local files.
When updating from a file which contains non-domain lines, 5 of the non-domain lines are printed on the screen, so if you provide it with any file on the server which contains non-domain lines it will print them on the screen.
Also since the "pihole -g" command is running as sudo from "gravity.sh.php" a malicious actor could read privileged files.
PoC
Step 1: Log in to Pihole
Step 2: Go to the "Adlists" section and add file:///etc/shadow
Step 3: Go to "Tools" --> "Update Gravity" and view the first 5 lines of the /etc/shadow file on the screen.
An exploit has been developed to automatically exploit the vulnerability.
Impact
An attacker could read any file on the server as root, in this case with the root hash extracted from /etc/shadow could be cracked to later obtain a password to authenticate later through SSH or other service that is exposed.
On the other hand, the attacker could enumerate the system to detect other services/versions and carry out more complex attacks.
After all, he could obtain part of the information from any file on the system.
Summary
A vulnerability has been discovered in Pihole that allows an authenticated user on the platform to read internal server files arbitrarily, and because the application runs from behind, reading files is done as a privileged user.
Details
While investigating the operation of Pihole in depth, it was decided to focus the search for vulnerabilities on the "Update Gravity" function.
Basically, the function performs an update of the list of domains that Pihole will block through a URL added in the "Adslists" section.
Analyzing the code of the "gravity.php" file, we can see that it refers to a file called "gravity.js".
Subsequently, we proceed to analyze the js file, finding that reference is made to another file called "gravity.sh.php", which contains all the operation and logic.
Analyzing said file, it is observed that at the end of the whole there is a loop executing a system level command such as sudo.
To observe the operation of the "-g" argument of Pihole, the gravity.sh file found on Github is analyzed and the investigation is focused on the function "gravity_DownloadBlocklistFromUrl()".
The operation explained in a very basic way is the following: If the URL that is in the list of "Adslists" begins with "file*" it is understood that it is updating from a local file, on the other hand if it does not begin with "file*" depending on the state of the response it does one thing or another.
The problem resides in the update through local files.
When updating from a file which contains non-domain lines, 5 of the non-domain lines are printed on the screen, so if you provide it with any file on the server which contains non-domain lines it will print them on the screen.
Also since the "pihole -g" command is running as sudo from "gravity.sh.php" a malicious actor could read privileged files.
PoC
Step 1: Log in to Pihole
Step 2: Go to the "Adlists" section and add file:///etc/shadow
Step 3: Go to "Tools" --> "Update Gravity" and view the first 5 lines of the /etc/shadow file on the screen.
An exploit has been developed to automatically exploit the vulnerability.
Impact
An attacker could read any file on the server as root, in this case with the root hash extracted from /etc/shadow could be cracked to later obtain a password to authenticate later through SSH or other service that is exposed.
On the other hand, the attacker could enumerate the system to detect other services/versions and carry out more complex attacks.
After all, he could obtain part of the information from any file on the system.