Pi-hole Command Injection Vulnerability in Web Interface Versions Prior to 6.0

A critical OS command injection vulnerability has been identified in the Pi-hole Admin Interface, specifically in versions prior to 6.0. The issue arises in the savesettings.php file, where the application improperly handles the user-controlled 'webtheme' parameter. This parameter is directly concatenated into a system command executed via PHP's exec() function, without any sanitization or validation. As a result, an attacker can append arbitrary system commands to the intended Pi-hole command. Moreover, since the command is executed with sudo privileges, the injected commands are likely to be executed with root privileges.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with elevated privileges, potentially leading to a full system compromise.

Reproduction

To reproduce this vulnerability, send a POST request to the savesettings.php file with the 'webtheme' parameter set to 'default' (or any other value). The injected command can be appended after a semicolon. For example, appending 'id > /tmp/hacked.txt' would execute the 'id' command and redirect the output to a file named 'hacked.txt' in the '/tmp' directory.

Remediation

Users are advised to update to Pi-hole Web Interface version 6.0 or later, where this vulnerability has been patched.