Allele Security Alert
ASA-2020-00040
Identifier(s)
ASA-2020-00040, CVE-2020-15704, ZDI-CAN-11504
Title
Arbitrary file read and arbitrary module loading due to incorrectly handled module loading in the ppp package
Vendor(s)
Canonical
Product(s)
Ubuntu
Affected version(s)
Ubuntu 20.04
ppp package versions before 2.4.7-2+4.1ubuntu5.1
Ubuntu 18.04
ppp package versions before 2.4.7-2+2ubuntu1.3
Ubuntu 16.04
ppp package versions before 2.4.7-1+2ubuntu1.16.04.3
Ubuntu 14.04
ppp package versions before 2.4.5-5.1ubuntu2.3+esm2
Ubuntu 12.04
ppp package versions before 2.4.5-5ubuntu1.4
Fixed version(s)
Ubuntu 20.04
ppp package version 2.4.7-2+4.1ubuntu5.1 and later
Ubuntu 18.04
ppp package version 2.4.7-2+2ubuntu1.3 and later
Ubuntu 16.04
ppp package version 2.4.7-1+2ubuntu1.16.04.3 and later
Ubuntu 14.04
ppp package version 2.4.5-5.1ubuntu2.3+esm2 and later
Ubuntu 12.04
ppp package version 2.4.5-5ubuntu1.4 and later
Proof of concept
Yes
Description
The ppp package in Ubuntu contains a patch to load the ppp_generic kernel module when it’s not built by default in the Linux kernel. The patch has a vulnerability that allows an attacker to influence the behavior of the modprobe binary using MODPROBE_OPTIONS environment variable. This vulnerability leads to arbitrary file read or arbitrary kernel module loading.
Technical details
The patch calls modprobe binary using execl() function and doesn’t set the environment variables. When execl() function is called without setting the environment variables, it inherits the environment variables from the calling process. This way an attacker could influence the behavior of modprobe by manipulating MODPROBE_OPTIONS environment variable.
Loading arbitrary modules when /dev/ppp is not present
MODPROBE_OPTIONS="-C ./ -d ./ rootmod -S ''" /sbin/pppd
Reading arbitrary files using the sandbox context of man
$ PAGER='/bin/sh -c "MODPROBE_OPTIONS=\"-C /etc/shadow\" /sbin/pppd notty"' man x
Credits
Thomas Chauchefoin (@swapgs) from Synacktiv (@Synacktiv)
Reference(s)
UBUNTU PPP’S CVE-2020-15704 WRAP-UP
https://www.synacktiv.com/publications/ubuntu-ppps-cve-2020-15704-wrap-up.html
Canonical Ubuntu Point-to-Point Protocol Daemon Arbitrary File Read Information Disclosure Vulnerability
https://www.zerodayinitiative.com/advisories/ZDI-20-980/
ppp could be made to load arbitrary kernel modules and possibly run programs.
https://ubuntu.com/security/notices/USN-4451-1
USN-4451-2: ppp vulnerability
https://ubuntu.com/security/notices/USN-4451-2
ppp_2.4.7-2+4.1ubuntu5_2.4.7-2+4.1ubuntu6.diff.gz
https://launchpadlibrarian.net/491880980/ppp_2.4.7-2+4.1ubuntu5_2.4.7-2+4.1ubuntu6.diff.gz
CVE-2020-15704
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15704
CVE-2020-15704
https://nvd.nist.gov/vuln/detail/CVE-2020-15704
CVE-2020-15704 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15704.html
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 8, 2020