8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to escalate privileges to root.) The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh.
Recent assessments:
h00die at May 18, 2020 6:49pm UTC reported:
Works against pi-hole <=4.4, which was just about recent at the time of release.
Excellent write-up here: <https://frichetten.com/blog/cve-2020-11108-pihole-rce/>
The CVE encompasses a file overwrite, however overwriting the right files can escalate privs.
The CVE is basically that a new blocklist can be added, and then an update is forced (gravity
is pihole terminology for this) to pull in the blocklist content. PHP content is then written to a file within the webroot.
How the real chain of exploit works is this:
writes a sudo
pihole command to launch teleporter
, effectively running a priv esc. sudo pihole -a -t
is the command to do this. pihole is in sudoers, so we wonβt need to provide a password. This file is stored at an arbitrary location within the webroot.
writes our payload to teleporter.php
, overwriting, the content.
visit the arbitrary file set in phase 1, which launches the pihole command. -t
executes teleporter.php
, which gives us a root shell.
Most of the restrictions for this exploit are focused around adding the blocklist. Due to encoding, formatting, etc, we are only able to provide an IP. No port, or file name.
With this in mind, exploitation takes many steps. In theory, w/o these restrictions, youβd set 2 block lists (phase 1, and 2), update gravity twice to pull in the files, and done. You would have set each block list to a diff URL thus being able to differentiate them.
However, since you arenβt able to do that, the actual chain looks more like this:
add blocklist for phase 1
update gravity and 200 OK
the request
update gravity and send back your phase 1 command.
add blocklist for phase 2
update gravity and 200 OK
the request
update gravity and send back your phase 2 command.
hit the URL stored for phase 1.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 3
packetstormsecurity.com/files/157623/Pi-hole-4.4-Remote-Code-Execution.html
packetstormsecurity.com/files/157624/Pi-hole-4.4-Remote-Code-Execution-Privilege-Escalation.html
packetstormsecurity.com/files/157748/Pi-Hole-heisenbergCompensator-Blocklist-OS-Command-Execution.html
packetstormsecurity.com/files/157839/Pi-hole-4.4.0-Remote-Code-Execution.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11108
frichetten.com/blog/cve-2020-11108-pihole-rce
github.com/Frichetten/CVE-2020-11108-PoC
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C