CVE-2021-32706
published 2021-08-04CVE-2021-32706: Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version…
PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
60.18%
99.0th percentile
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the `validDomainWildcard` preg_match filter allows a malicious character through that can be used to execute code, list directories, and overwrite sensitive files. The issue lies in the fact that one of the periods is not escaped, allowing any character to be used in its place. A patch for this vulnerability was released in version 5.5.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pi-hole | adminlte | < 5.5.1 | 5.5.1 |
| pi-hole | pi-hole | < 5.5.1 | 5.5.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/admin/
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M1 (CVE-2021-32706)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/"; http.request_body; content:"domains=*"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24|\x3e)/R"; reference:url,www.cvedetails.com/cve/CVE-2021-32706/; reference:cve,2021-32706; classtype:attempted-admin; sid:2033934; rev:1; metadata:attack_target Server, created_at 2021_09_13, cve CVE_2021_32706, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_09_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M2 (CVE-2021-32706)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/"; http.request_body; content:"clients=*"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24|\x3e)/R"; reference:url,www.cvedetails.com/cve/CVE-2021-32706/; reference:cve,2021-32706; classtype:attempted-admin; sid:2033935; rev:1; metadata:attack_target Server, created_at 2021_09_13, cve CVE_2021_32706, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_09_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
domains=* followed by shell metacharacter (;|\n|&|`||$|>)
bytes
clients=* followed by shell metacharacter (;|\n|&|`||$|>)
- →Exploit traffic is an authenticated HTTP POST to /admin/ with a request body containing 'domains=*' or 'clients=*' immediately followed by a shell metacharacter (0x3b=;, 0x0a=newline, 0x26=&, 0x60=backtick, 0x7C=|, 0x24=$, 0x3e=>). Monitor for these patterns to detect RCE attempts via the Top Domains/Top Advertisers API fields.
- →The vulnerability is in the `validDomainWildcard` preg_match filter — one period is unescaped, allowing any character (including shell metacharacters) to pass through. The injected payload is later executed via the Pi-hole gravity functionality. ↗
- →The Metasploit module targets the Pi-Hole Top Domains API endpoint. Detection should focus on authenticated POST requests to the /admin/ path that include wildcard (*) values in domain/client fields combined with command injection characters. ↗
- ·Exploitation requires authentication to the Pi-hole Web Interface. Unauthenticated access alone is not sufficient to trigger RCE. ↗
- ·The regex filter only allows a-z, 0-9, and underscore characters — injection is only possible via the unescaped period bypass. Payloads must conform to this character constraint before the metacharacter injection. ↗
- ·The vulnerability is fixed in Pi-hole Web Interface version 5.5.1. Instances running 5.5.1 or later are not affected. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
Suricata
ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M2 (CVE-2021-32706)
suricata·2021-09-13·CVSS 7.6
CVE-2021-32706 [HIGH] ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M2 (CVE-2021-32706)
ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M2 (CVE-2021-32706)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M2 (CVE-2021-32706)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/"; http.request_body; content:"clients=*"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24|\x3e)/R"; reference:url,www.cvedetails.com/cve/CVE-2021-32706/; reference:cve,2021-32706; classtype:attempted-admin; sid:2033935; rev:1; metadata:attack_target Server, created_at 2021_09_13, cve CVE_2021_32706, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_09_13, mitre_tactic_id TA0001, mitre_tactic_name I
Suricata
ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M1 (CVE-2021-32706)
suricata·2021-09-13·CVSS 7.6
CVE-2021-32706 [HIGH] ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M1 (CVE-2021-32706)
ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M1 (CVE-2021-32706)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M1 (CVE-2021-32706)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/"; http.request_body; content:"domains=*"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24|\x3e)/R"; reference:url,www.cvedetails.com/cve/CVE-2021-32706/; reference:cve,2021-32706; classtype:attempted-admin; sid:2033934; rev:1; metadata:attack_target Server, created_at 2021_09_13, cve CVE_2021_32706, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_09_13, mitre_tactic_id TA0001, mitre_tactic_name I
No writeups or analysis indexed.
2021-08-04
Published