Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-23614: Improper session handling of "Remember me for 7 days" functionality

Pi-hole®’s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as “Remember me for 7 days” cookie value makes it possible for an attacker to “pass the hash” to login or reuse a theoretically expired “remember me” cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire after 7 days but its value will remain valid as long as the admin password doesn’t change. If a cookie is leaked or compromised it could be used forever as long as the admin password is not changed. An attacker that obtained the password hash via an other attack vector (for example a path traversal vulnerability) could use it to login as the admin by setting the hash as the cookie value without the need to crack it to obtain the admin password (pass the hash). The hash is exposed over the network and in the browser where the cookie is transmitted and stored. This issue is patched in version 5.18.3.

CVE
#vulnerability#web#php#auth

Affected versions

4.0 <= x <= 5.18.2

Summary

Improper use of admin WEBPASSWORD hash as “Remember me for 7 days” cookie value make it possible for an attacker to “pass the hash” to login or reuse a theoretically expired “remember me” cookie.

It also exposes the hash over the network and stores it unnecessarily in the browser.

Details

The “Remember me for 7 days” functionality introduced by the pull request 743 makes use of the admin WEBPASSWORD hash as the value of the related cookie.

This usage causes the following security problems:

  1. The cookie itself is set to expire after 7 days, but its value will remain valid as long as the admin password doesn’t change. If a cookie is leaked or compromised it could be used forever as long as the admin password is not changed.
  2. An attacker that obtained the password hash via an other attack vector (for example a path traversal vulnerability) could use it to login as the admin by setting the hash as the cookie value without the need to crack it to obtain the admin password (pass the hash).
  3. The hash is exposed over the network and in the browser where the cookie is transmitted and stored.

PoC

To reproduce the problem a user can login setting the “Remember me for 7 days” checkbox on the login page.

A cookie named "persistentlogin" will be issued to its browser and its value will match the admin WEBPASSWORD hash present in the setupVars.conf file.

Arbitrarily setting a cookie with the same value will allow the user to login even after 7 days.

The following source code snippets are taken from password.php file:

// Read setupVars.conf file $setupVars = parse_ini_file(‘/etc/pihole/setupVars.conf’); // Try to read password hash from setupVars.conf if (isset($setupVars[‘WEBPASSWORD’])) { $pwhash = $setupVars[‘WEBPASSWORD’]; } else { $pwhash = '’; }

...
if (hash\_equals($pwhash, $\_COOKIE\['persistentlogin'\])) {
     $\_SESSION\['auth'\] = true;
...
     setcookie('persistentlogin', $pwhash, time() + 60 \* 60 \* 24 \* 7, null, null, null, true);
...

if (isset($\_POST\['persistentlogin'\])) {
    // setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
    setcookie('persistentlogin', $pwhash, time() + 60 \* 60 \* 24 \* 7, null, null, null, true);
}

Impact

The vulnerabilities can be classified as “improper session handling”, “information leakage” and “use of password hash instead of password for authentication” and impact the security of the authentication and session handling mechanism.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907