-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pi-Hole <= 4.4 root RCE CVE-2020-11108 #13445
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Parenthesis will soon be mandatory.
Negative Test CasesCorrectly identifies 4.4 and 5.0
|
@Frichetten FYI. Do you want an email added to your POC for the exploit? |
Hi @h00die, no thank you. I'm okay with just the link to my blog. If someone really wanted to contact me they could find the info there (I'm always nervous about an my email being in plaintext somewhere bots could find it and spam me). Thank you for taking the time to build an actual Metasploit module for it! I never thought of doing that. |
Also just a heads up that Pi-hole v4.4 is vulnerable. If you like I can take a stab at debugging it and seeing what's up. (Pi-hole Version v4.4, Web Interface Version v4.33, FTL Version v4.3.1) |
@Frichetten thanks for writing an awesome blog with step by step instructions, and using python so I could actually follow along. You were right on the 4.4, I adjusted the code a bit and got it working. |
throwing a delay label on here to investigate authentication |
should be easy enough to add a password option, then send a post (or get then post for any csrf/tokens) to authenticate. I'll do a re-install of 3.2.1 and 4.4 and see if i can't find one. Now that the <3.3 exploit is up, I also wanted to do CVE-2020-8816, so a common library for authentication would be nice to have. |
for notes, pihole 4.4, and 4.3.2 are strange in their logins. This is actually easier than expected, no token grabbing, no processing redirects etc. |
print_status('Adding backdoor reference') | ||
add_blocklist(backdoor_name, token, cookie) | ||
|
||
# update gravity |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, Einstein.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice module! Some small fixes to avoid nil
s and creating unneeded regexes.
Looks like a solid module, should be able to land this later 👍 Running check against 5.0
Running check against 4.3
Running against 4.3 with a valid password
Running against 4.3 with an invalid password
This was my docker-compose file: docker-compose.ymlversion: "3"
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
pihole:
container_name: pihole
image: pihole/pihole:4.3
ports:
# - "53:53/tcp"
# - "53:53/udp"
# - "67:67/udp"
- "80:80/tcp"
# - "443:443/tcp"
environment:
TZ: 'America/Chicago'
WEBPASSWORD: 'password123'
# Volumes store your data between container upgrades
#volumes:
# - './etc-pihole/:/etc/pihole/'
# - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
dns:
- 127.0.0.1
- 1.1.1.1
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN
restart: unless-stopped |
I'm hoping to write a 3rd pihole exploit in the next day or two. May make a cool weekly summary if all 3 land the same week 😉 |
Release NotesThis adds a root exploit for Pi-Hole, versions 4.4 and lower. This takes advantage of CVE-2020-11108. A new blocklist is added then an update is forced to pull in the blocklist content. Then PHP content is written to a file within webroot. |
Root exploit against Pi-Hole <= 4.4 for cve-2020-11108.
Verified against 4.3.2, (modified code) and 4.4.
A few notes:
80
. When putting in the blocklist w/ a different port, the various encodings muck with it before it gets to the RCE point. I didn't attempt to make this work./stage1
and/stage2
on the URLs for the blacklist, to track which was which. Similar to test #1 something got strange when getting to the RCE point, and it wouldn't work.teleporter.php
gets overwritten. I didn't bother pulling a 'good' one and then re-uploading it on shell.Verification
Install a vuln pihole
msfconsole
use exploit/unix/http/pihole_blocklist_exec
set rhost/srvhost/etc