CVE-2020-8816
published 2020-05-29CVE-2020-8816: Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
PriorityP185high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
77.85%
99.5th percentile
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pi-hole | pi-hole | <= 4.3.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaaaaaaaaaaaa&&W=${PATH#/???/}&&P=${W%%?????:*}&&X=${PATH#/???/??}&&H=${X%%???:*}&&Z=${PATH#*:/??}&&R=${Z%%/*}&&$P$H$P$IFS-$R$IFS'EXEC(HEX2BIN("<PAYLOAD>"));'&&↗
- →Monitor POST requests to /admin/settings.php?tab=piholedhcp containing shell metacharacters (&&, $, %) in the AddMAC parameter field, which is the injection point for this exploit. ↗
- →Detect the hardcoded static PHPSESSID cookie value 'cabesha' in HTTP requests to Pi-hole admin endpoints, which is a strong indicator of this specific exploit script being used. ↗
- →Alert on MAC address field values in DHCP static lease submissions that contain '&&' or shell variable expansion patterns (e.g. ${PATH#...}) rather than valid MAC address format (xx:xx:xx:xx:xx:xx). ↗
- →DHCP server does not need to be running for exploitation to succeed; do not rely on DHCP service state as an indicator of safety. ↗
- ·Exploitation requires /opt/pihole to be first in $PATH. Hardening the PATH environment variable for the web server process can mitigate or complicate exploitation. ↗
- ·The vulnerability is exploitable by authenticated, privileged dashboard users only — unauthenticated access is not sufficient. Restricting admin dashboard access reduces attack surface. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v4fw-xc8h-7p52: Pi-hole Web v4
ghsa_unreviewed·2022-05-24
CVE-2020-8816 [MEDIUM] CWE-78 GHSA-v4fw-xc8h-7p52: Pi-hole Web v4
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
VulnCheck
Pi-Hole AdminLTE Remote Code Execution Vulnerability
vulncheck·2020·CVSS 7.2
CVE-2020-8816 [HIGH] CWE-78 Pi-Hole AdminLTE Remote Code Execution Vulnerability
Pi-Hole AdminLTE Remote Code Execution Vulnerability
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
Affected: Pi-hole AdminLTE
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/b5bf7ad01990; https://vulncheck.com/xdb/d538eb462f37; https://vulncheck.com/xdb/2ea27aaa590f
Remediation Due: 2022-06-10
CISA
Pi-Hole AdminLTE Remote Code Execution Vulnerability
cisa·2021-12-10·CVSS 7.2
CVE-2020-8816 [HIGH] CWE-78 Pi-Hole AdminLTE Remote Code Execution Vulnerability
Vulnerability: Pi-Hole AdminLTE Remote Code Execution Vulnerability
Affected: Pi-hole AdminLTE
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-8816
Remediation Due Date: 2022-06-10
No detection rules found.
Exploit-DB
Pi-hole 4.3.2 - Remote Code Execution (Authenticated)
exploitdb·2020-08-04·CVSS 7.2
CVE-2020-8816 [HIGH] Pi-hole 4.3.2 - Remote Code Execution (Authenticated)
Pi-hole 4.3.2 - Remote Code Execution (Authenticated)
---
#!/usr/bin/env python2
# Exploit Title: Pi-hole 4.3.2 - Remote Code Execution (Authenticated)
# Date: 2020-08-04
# Exploit Author: Luis Vacas @CyberVaca
# Vendor Homepage: https://pi-hole.net/
# Software Link: https://github.com/pi-hole/pi-hole
# Version: >= 4.3.2
# Tested on: Ubuntu 19.10
# CVE : CVE-2020-8816
# Twitter: https://twitter.com/cybervaca_
import requests
import argparse
import base64
class Color:
PURPLE = '\033[95m'
CYAN = '\033[96m'
DARKCYAN = '\033[36m'
BLUE = '\033[94m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
END = '\033[0m'
def informa(msg):
print (Color.GREEN + "[" + Color.RED + "+" + Color.GREEN + "] " + msg )
def get_args():
parser = argparse.Argument
Metasploit
Pi-Hole DHCP MAC OS Command Execution
metasploit
Pi-Hole DHCP MAC OS Command Execution
Pi-Hole DHCP MAC OS Command Execution
This exploits a command execution in Pi-Hole <= 4.3.2. A new DHCP static lease is added with a MAC address which includes an RCE. Exploitation requires /opt/pihole to be first in the $PATH due to exploitation constraints. DHCP server is not required to be running.
http://packetstormsecurity.com/files/157861/Pi-Hole-4.3.2-DHCP-MAC-OS-Command-Execution.htmlhttp://packetstormsecurity.com/files/158737/Pi-hole-4.3.2-Remote-Code-Execution.htmlhttps://github.com/pi-hole/AdminLTE/commits/masterhttps://github.com/pi-hole/AdminLTE/pull/1165https://github.com/pi-hole/AdminLTE/releases/tag/v4.3.3https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/https://twitter.com/Nate_Kappa/status/1243900213665902592?s=20http://packetstormsecurity.com/files/157861/Pi-Hole-4.3.2-DHCP-MAC-OS-Command-Execution.htmlhttp://packetstormsecurity.com/files/158737/Pi-hole-4.3.2-Remote-Code-Execution.htmlhttps://github.com/pi-hole/AdminLTE/commits/masterhttps://github.com/pi-hole/AdminLTE/pull/1165https://github.com/pi-hole/AdminLTE/releases/tag/v4.3.3https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/https://twitter.com/Nate_Kappa/status/1243900213665902592?s=20https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8816
2020-05-29
Published
2021-12-10
Added to CISA KEV
Exploited in the wild