Pi-hole FTL Remote Code Execution Vulnerability via DNS Upstream Configuration Injection

A remote code execution vulnerability has been identified in the Pi-hole FTL engine, affecting versions 6.0 prior to 6.6. The issue arises in the upstream DNS servers configuration parameter, where authenticated attackers can inject arbitrary dnsmasq directives through newline characters. This injection is processed by the FTL server and executed on the underlying system, as the input validation is insufficient.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary commands on the system where Pi-hole is running. Given that Pi-hole typically operates with elevated privileges, this could lead to complete control over the server. Attackers could execute system commands, install backdoors, exfiltrate sensitive data such as DNS logs and network configurations, and disrupt DNS services. In enterprise environments, such actions could cause widespread network issues or facilitate lateral movement within the organization.

Reproduction

To reproduce this vulnerability, an authenticated user can send a PATCH request to the /api/config endpoint with a payload that includes a malicious dnsmasq directive injection. The injected payload should contain a valid DNS server address followed by newline characters and additional directives that, when executed, could run arbitrary commands on the system.

Remediation

Users can upgrade to Pi-hole FTL version 6.6 or later to address this vulnerability.