Pi-hole Local Privilege Escalation Vulnerability via Unvalidated Config Paths in Root-Executed Service Hooks

A local privilege escalation vulnerability has been identified in Pi-hole versions 6.0 prior to 6.4.2 and FTL versions 6.6.1. Two shell scripts, 'pihole-FTL-prestart.sh' and 'pihole-FTL-poststop.sh', are executed as root by systemd. These scripts read the 'files.pid' path from the Pi-hole configuration file without proper validation and use it in privileged file operations. An attacker with Pi-hole privileges can manipulate the 'files.pid' path to cause root to delete and recreate any file on the system, outside of protected directories, thereby gaining write access to it. On a default Pi-hole installation, this manipulation can lead to unauthorized changes in SSH authorized keys, allowing for local privilege escalation to root.

Impact

Exploitation of this vulnerability allows for local privilege escalation to root by manipulating SSH authorized keys. Additionally, the vulnerability could be exploited to delete or corrupt critical system files, such as the package manager's status file, causing service disruptions.

Reproduction

The vulnerability can be reproduced by writing an arbitrary path into the 'files.pid' configuration option, which is accessible to the non-root 'pihole' user. After injecting the malicious path, the 'pihole-FTL' service can be restarted, triggering the exploitation. This can be done by killing the service process, which will prompt systemd to execute the 'pihole-FTL-prestart.sh' script as root, where the injected path will be used in a file operation. If the path points to a file that can be manipulated, such as the SSH authorized keys file, the exploitation will result in local privilege escalation to root.

Remediation

Users can upgrade to Pi-hole Core version 6.4.2 or FTL version 6.6.1, where this vulnerability has been fixed.