Leak in web interface Pi-Hole made remote code execution possible
A security researcher has discovered a vulnerability in Pi-Hole that allowed remote code execution. That has now been resolved. Attackers could also exploit the vulnerability from outside if they could log into the interface.
The flaw was in the way users had to enter MAC addresses in the web interface. The researcher writes that the application did not correctly validate the input. It was therefore possible to enter arbitrary code instead of a MAC address. There are some obstacles to this method, however. For example, that code may not contain capital letters, while Linux commands are case sensitive. Also, an attacker must be able to log in to the web interface in the first place. Not all Pi-Hole users have their system open to the outside.
The discoverer says he found 150 Pi-Hole machines via Shodan that were accessible from the internet. The vulnerability is in version 4.3.2 of Pi-Hole. That is the version from September 2019. Newer versions have since been released in which the leak has been fixed, after the researcher told the makers.