Pi-hole Local Privilege Escalation Vulnerability Allowing Root Code Execution

A local privilege escalation vulnerability has been identified in Pi-hole version 6.4, allowing code execution as root from the low-privilege pihole account. The pihole account is restricted from interactive login, but this does not prevent execution of code as the pihole user if a Pi-hole component is compromised. In such a scenario, attacker-controlled content in the '/etc/pihole/versions' file is executed by Pi-hole scripts running as root, leading to unauthorized root access. This vulnerability has been patched in version 6.4.1.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with full root access gained from the pihole account. This could lead to a complete compromise of the host, including potential tampering with DNS settings, establishing persistence, and lateral movement within a network.

Reproduction

The vulnerability can be reproduced by first confirming that the '/etc/pihole/versions' file is writable by the pihole user. After backing up the original file, a simulated compromise can be created by appending a command to the versions file that, when executed by Pi-hole as root, will run a command to prove root access. This can be done by using a shell command to write a payload into the versions file, which is then executed by Pi-hole, resulting in the command being run as root.

Remediation

Users can update to Pi-hole version 6.4.1 to address this vulnerability.