CVE-2020-11108 : The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to

The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to escalate privileges to root.) The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh.

Published 2020-05-11 15:15:11

Updated 2020-05-27 18:15:13

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2020-11108

Pi-hole » Pi-hole
Versions up to, including, (<=) 4.4
cpe:2.3:a:pi-hole:pi-hole:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2020-11108

Top countries where our scanners detected CVE-2020-11108

Top open port discovered on systems with this issue 22

IPs affected by CVE-2020-11108 1

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2020-11108!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2020-11108

EPSS FAQ

96.91%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2020-11108

Pi-Hole heisenbergCompensator Blocklist OS Command Execution

Disclosure Date: 2020-05-10

First seen: 2020-05-18

exploit/unix/http/pihole_blocklist_exec

This exploits a command execution in Pi-Hole <= 4.4. A new blocklist is added, and then an update is forced (gravity) to pull in the blocklist content. PHP content is then written to a file within the webroot. Phase 1 writes a sudo pihole command to launch teleporte

More information

CVSS scores for CVE-2020-11108

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.0	HIGH	AV:N/AC:L/Au:S/C:C/I:C/A:C	8.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-11108

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-11108

http://packetstormsecurity.com/files/157623/Pi-hole-4.4-Remote-Code-Execution.html

Pi-hole 4.4 Remote Code Execution ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/157748/Pi-Hole-heisenbergCompensator-Blocklist-OS-Command-Execution.html

Pi-Hole heisenbergCompensator Blocklist OS Command Execution ≈ Packet Storm
https://github.com/Frichetten/CVE-2020-11108-PoC

GitHub - Frichetten/CVE-2020-11108-PoC: PoCs for CVE-2020-11108; an RCE and priv esc in Pi-hole
Exploit;Third Party Advisory
http://packetstormsecurity.com/files/157624/Pi-hole-4.4-Remote-Code-Execution-Privilege-Escalation.html

Pi-hole 4.4 Remote Code Execution / Privilege Escalation ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/157839/Pi-hole-4.4.0-Remote-Code-Execution.html

Pi-hole 4.4.0 Remote Code Execution ≈ Packet Storm
https://frichetten.com/blog/cve-2020-11108-pihole-rce/

CVE-2020-11108: How I Stumbled into a Pi-hole RCE+LPE
Exploit;Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-11108