roddux.uk / blog / First post!

First post!

published: 2017-09-15

I shall start this blog with a very amusing tale.

Several moons ago, a pilgrim I know from the nether realms decided to install Pi-Hole on his VPS for all good patrons to use. For the uninitiated, Pi-Hole is a set of scripts that will automagically add blacklist entries to a dnsmasq DNS server to block known malware/advertising domains. No prizes for guessing that it's designed for a Raspberry Pi. Such a setup can be useful for adblocking on smaller devices, where maintaining a blacklist in the hosts file (or indeed running your own server) is not feasible.

Unwittingly, said pilgrim left the admin console accessible for world + dog to peruse! It ruffled me to find out the setup was a read-only interface, but it did allow one to see some interesting information-- the top ten list of domains most queried quickly caught my eye.

I heard a whisper from the aether; "does this program actually check if the domains queried are valid, before displaying them on the web interface?"

Lo, into the shell I dove! I hewed into stone the following commandment: for X in {1..9000}; do dig 'anime.tiddies' @pilgrim &>/dev/null; done which revealed the sins I was forewarned of.

A screenshot of the top ten list, including a result of 'anime.tiddies'

A grin began to creep across my face as more thoughts came to me. "Does this program actually sanitise requests, at all, before displaying them on the web interface?"

A screenshot of the top ten list, with an XSS example injected

Unsanitised input is a sure indicator of HERESY.

Briefly, puzzlement extinguished my mirth as I pondered how I could exploit this XSS bug without being able to use whitespace. A short while of musing later, I discovered this: <img/src='x'/onerror=alert(document.cookie)>

My glee returned, this technique was new to me! Accordingly I then accosted the good pilgrim's server like so: while true; do dig <img/src="x"/onerror=document.location="lemonparty.org"> @pilgrim &>/dev/null; done (No image for this part)

Being a friendly patron, I informed the pilgrim and the creators of Pi-Hole of the errors of their ways and set them onto the path of righteousness.

Issue report: https://github.com/pi-hole/AdminLTE/issues/82

Fix pull request: https://github.com/pi-hole/AdminLTE/pull/84