Skip to content

Improper session handling of "Remember me for 7 days" functionality

High
PromoFaux published GHSA-33w4-xf7m-f82m Jan 25, 2023

Package

Pi-hole Web

Affected versions

4.0 <= x <= 5.18.2

Patched versions

v5.18.3

Description

Summary

Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value make it possible for an attacker to "pass the hash" to login or reuse a theoretically expired "remember me" cookie.

It also exposes the hash over the network and stores it unnecessarily in the browser.

Details

The "Remember me for 7 days" functionality introduced by the pull request 743 makes use of the admin WEBPASSWORD hash as the value of the related cookie.

This usage causes the following security problems:

  1. The cookie itself is set to expire after 7 days, but its value will remain valid as long as the admin password doesn't change. If a cookie is leaked or compromised it could be used forever as long as the admin password is not changed.
  2. An attacker that obtained the password hash via an other attack vector (for example a path traversal vulnerability) could use it to login as the admin by setting the hash as the cookie value without the need to crack it to obtain the admin password (pass the hash).
  3. The hash is exposed over the network and in the browser where the cookie is transmitted and stored.

PoC

To reproduce the problem a user can login setting the "Remember me for 7 days" checkbox on the login page.

A cookie named "persistentlogin" will be issued to its browser and its value will match the admin WEBPASSWORD hash present in the setupVars.conf file.

Arbitrarily setting a cookie with the same value will allow the user to login even after 7 days.

The following source code snippets are taken from password.php file:

// Read setupVars.conf file
$setupVars = parse_ini_file('/etc/pihole/setupVars.conf');
// Try to read password hash from setupVars.conf
if (isset($setupVars['WEBPASSWORD'])) {
    $pwhash = $setupVars['WEBPASSWORD'];
} else {
    $pwhash = '';
}
    ...
    if (hash_equals($pwhash, $_COOKIE['persistentlogin'])) {
         $_SESSION['auth'] = true;
    ...
         setcookie('persistentlogin', $pwhash, time() + 60 * 60 * 24 * 7, null, null, null, true);
    ...
    if (isset($_POST['persistentlogin'])) {
        // setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
        setcookie('persistentlogin', $pwhash, time() + 60 * 60 * 24 * 7, null, null, null, true);
    }

Impact

The vulnerabilities can be classified as "improper session handling", "information leakage" and "use of password hash instead of password for authentication" and impact the security of the authentication and session handling mechanism.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2023-23614

Credits