Pi-hole Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability allowing remote code execution exists in Pi-hole versions prior to 3.3. This vulnerability arises when domains are added to the allowlist through the web interface, as the domain parameter is not properly sanitized. An authenticated user can append operating system commands to the domain string, which are then executed with the privileges of the Pi-hole service user. This issue was present in the legacy AdminLTE interface and has been patched in later versions.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server's operating system, with the same privileges as the Pi-hole service user.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the 'add.php' or 'sub.php' scripts within the Pi-hole admin interface. The 'domain' parameter can be crafted to include OS commands, which will be executed on the server. This can be done manually or automated with a Metasploit module that exploits the same vulnerability.

Remediation

Users are advised to update to Pi-hole version 4.0 or later, where this vulnerability has been patched.