Headline
CVE-2023-23614: Improper session handling of "Remember me for 7 days" functionality
Pi-hole®’s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as “Remember me for 7 days” cookie value makes it possible for an attacker to “pass the hash” to login or reuse a theoretically expired “remember me” cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire after 7 days but its value will remain valid as long as the admin password doesn’t change. If a cookie is leaked or compromised it could be used forever as long as the admin password is not changed. An attacker that obtained the password hash via an other attack vector (for example a path traversal vulnerability) could use it to login as the admin by setting the hash as the cookie value without the need to crack it to obtain the admin password (pass the hash). The hash is exposed over the network and in the browser where the cookie is transmitted and stored. This issue is patched in version 5.18.3.
Affected versions
4.0 <= x <= 5.18.2
Summary
Improper use of admin WEBPASSWORD hash as “Remember me for 7 days” cookie value make it possible for an attacker to “pass the hash” to login or reuse a theoretically expired “remember me” cookie.
It also exposes the hash over the network and stores it unnecessarily in the browser.
Details
The “Remember me for 7 days” functionality introduced by the pull request 743 makes use of the admin WEBPASSWORD hash as the value of the related cookie.
This usage causes the following security problems:
- The cookie itself is set to expire after 7 days, but its value will remain valid as long as the admin password doesn’t change. If a cookie is leaked or compromised it could be used forever as long as the admin password is not changed.
- An attacker that obtained the password hash via an other attack vector (for example a path traversal vulnerability) could use it to login as the admin by setting the hash as the cookie value without the need to crack it to obtain the admin password (pass the hash).
- The hash is exposed over the network and in the browser where the cookie is transmitted and stored.
PoC
To reproduce the problem a user can login setting the “Remember me for 7 days” checkbox on the login page.
A cookie named "persistentlogin" will be issued to its browser and its value will match the admin WEBPASSWORD hash present in the setupVars.conf file.
Arbitrarily setting a cookie with the same value will allow the user to login even after 7 days.
The following source code snippets are taken from password.php file:
// Read setupVars.conf file $setupVars = parse_ini_file(‘/etc/pihole/setupVars.conf’); // Try to read password hash from setupVars.conf if (isset($setupVars[‘WEBPASSWORD’])) { $pwhash = $setupVars[‘WEBPASSWORD’]; } else { $pwhash = '’; }
...
if (hash\_equals($pwhash, $\_COOKIE\['persistentlogin'\])) {
$\_SESSION\['auth'\] = true;
...
setcookie('persistentlogin', $pwhash, time() + 60 \* 60 \* 24 \* 7, null, null, null, true);
...
if (isset($\_POST\['persistentlogin'\])) {
// setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
setcookie('persistentlogin', $pwhash, time() + 60 \* 60 \* 24 \* 7, null, null, null, true);
}
Impact
The vulnerabilities can be classified as “improper session handling”, “information leakage” and “use of password hash instead of password for authentication” and impact the security of the authentication and session handling mechanism.