Pi-hole FTL Remote Code Execution Vulnerability via DHCP Hosts Newline Injection

A remote code execution vulnerability has been identified in the Pi-hole FTL engine, affecting versions 6.0 prior to 6.6. The issue arises in the DHCP hosts configuration parameter, where authenticated attackers can inject arbitrary dnsmasq directives through newline characters. This injection is processed by the FTL server and executed as commands on the underlying system.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary commands on the system where Pi-hole is running. Given that Pi-hole typically operates with elevated privileges to manage network services, successful exploitation could lead to complete control over the server. This includes executing system commands, installing backdoors, exfiltrating sensitive data such as DNS logs and network configurations, and disrupting DNS services. In enterprise environments, such actions could cause widespread network issues or facilitate lateral movement within the organization.

Reproduction

To reproduce this vulnerability, an authenticated user can send a PATCH request to the /api/config endpoint with a payload that includes a malicious DHCP host entry. The injected payload must contain newline characters followed by dnsmasq directives, such as 'leasefile-ro' and 'dhcp-script', to execute commands via the shell when the DNS service is restarted.

Remediation

Users can upgrade to Pi-hole FTL version 6.6 or later to address this vulnerability.