Pi-hole FTL Newline Injection Vulnerability in dns.interface Configuration Field Allowing Remote Code Execution via DHCP

A vulnerability in Pi-hole FTL versions prior to 6.6.1 allows for newline injection in the dns.interface configuration field. This flaw enables network-adjacent attackers to inject arbitrary directives into the dnsmasq configuration. On systems with no admin password set, the configuration API is accessible without credentials. Exploitation involves injecting a dhcp-script directive, enabling the DHCP server, and executing commands on the host when a device requests a DHCP lease. The injected directive persists in the configuration file, surviving restarts.

Impact

Successful exploitation allows for arbitrary command execution on the host running Pi-hole FTL, triggered by a DHCP lease event. The injection also persists across restarts, as the malicious payload is saved in the pihole.toml configuration file.

Reproduction

To reproduce this vulnerability, first ensure that Pi-hole FTL version 6.6 is running on a Raspberry Pi without an admin password set. The vulnerability can be exploited by sending a PATCH request to the /api/config endpoint with a payload that includes a newline character in the dns.interface field. This injection bypasses the validation checks and is written directly into the dnsmasq configuration. Once the DHCP server is enabled, the injected script is executed the next time a device on the network requests a DHCP lease.

Remediation

Users can update to Pi-hole FTL version 6.6.1 or later, where this vulnerability has been fixed.