About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Ubuntu PPP Privilege Escalation- 245

Synack TIV - Thomas ChauchefoinPosted 5 Years Ago
  • PPP is the Point-to-Point Daemon on Ubuntu (aka, a way to print).
  • The PPP makes an interesting target because 1) it is a setuid binary and 2) modprobe sometimes invokes the binary. Why is modprobe interesting?
  • The modprobe has ENV variables set for itself by setting MODPROBE_OPTIONS. The ENV variables not being reset have caused issues in the past, including CVE-2010-4170 and CVE-2017-0358. Because of this prior research, attacking PPP from the perspective of modprobe seemed like a good idea.
  • The MODPROBE_OPTIONS can be used in order to load an arbitrary kernel module, essentially spelling game over for the system.
  • What's the main takeaway? Specifically, not clearing out ENV variables when a new call is made is very dangerous. When running on a local system, ensure that ENV variables are used in a secure fashion.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed