Pi-hole ad-blocking technology hack exposed

guest · Apr 1, 2020

Pi-hole ad-blocking technology hack exposed
March 30, 2020
https://portswigger.net/daily-swig/pi-hole-ad-blocking-technology-hack-exposed

A security researcher has uncovered a neat – though far from critically dangerous – security vulnerability in Pi-hole, the network-based content filtering technology that’s popular with privacy-conscious web users.

Security researcher François Renaud-Philippon discovered a remote code execution (RCE) vulnerability that meant an authenticated web portal user could hack into the underlying server.
The flaw (CVE-2020-8816) affects Pi-hole version 4.3.2 and earlier.

Despite the fact that the possibility of exploitation is quite low, the security flaw is still an interesting find, as illustrated by a comprehensive write-up of the vulnerability and accompanying proof-of-concept exploit.
Click to expand...

CVE-2020-8816 – Pi-hole Remote Code Execution

Impact
Pi-hole is affected by a Remote Code Execution vulnerability. An authenticated user of the Web portal can execute arbitrary command with the underlying server with the privileges of the local user executing the service.
Exploitation of this vulnerability can be automated.
What is Pi-hole?
Pi-Hole is a DNS server specialized in content-filtering. It also features a DHCP server. According to Pi-hole LLC:

The Pi-hole® is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.
Technical Analysis [...]
Click to expand...

summerheat · Apr 1, 2020

As mentioned in that report the vulnerability was fixed in v. 4.3.3 in February. And since Pi-hole does an automatic update check and available updates are shown in its web interface this vulnerability should not be a problem for most users.

Log in or Sign up

Pi-hole ad-blocking technology hack exposed

guest Guest

summerheat Registered Member

Log in or Sign up

Pi-hole ad-blocking technology hack exposed

guest Guest

summerheat Registered Member

Useful Searches