
Pi-hole 4.4.0 Remote Code Execution - LinuxBender
https://packetstormsecurity.com/files/157839/Pi-hole-4.4.0-Remote-Code-Execution.html
======
slenk
FWIW 5.0 has been out for a bit and addresses this vuln.

Also, here is actual info about the vuln:
[https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi...](https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-
hole-remote-code-execution/)

~~~
pstrateman
When 5.0 was released the comments were full of people saying they had
forgotten about the pi hole they were using.

I bet most installs are running very old software.

~~~
lilSebastian
That tends to happen with 'it just works' solutions, until it either doesn't
or causes some other problem

------
coolspot
Vulnerability requires web access and password for the pi-hole.

~~~
pocw
^Thanks for that. I was frantically looking to patch my pihole till I saw this
comment.

Everyone else, action item: Make sure your pihole web interface is not public
(duh) and that you set a non-trivial password (sorta duh)

------
smithza
How would privilege escalation work in this case?

~~~
drjasonharrison
Regarding the older CVE-2020-8816: The code sent in the request is executed
using sudo. From there, the code can use curl/wget to download a script from a
specified server, and execute the script as root and take over the device.

For this CVE, here is a description:

[https://frichetten.com/blog/cve-2020-11108-pihole-
rce/](https://frichetten.com/blog/cve-2020-11108-pihole-rce/)

