CVE-2020-7468: TURNING IMPRISONMENT TO ADVANTAGE IN THE FREEBSD FTPD CHROOT JAIL
December 21, 2020 | Lucas Leong
In July, we received a local privilege escalation bug in FreeBSD from an anonymous researcher. The target is the file transfer protocol daemon (ftpd) that ships as part of FreeBSD. It provides a feature, ftpchroot, that is designed to restrict the file system access of authenticated users. The feature is implemented using the “chroot” system call, a security technique commonly known as a “chroot jail”. A chroot jail functions by confining a process to a restricted portion of the filesystem. By exploiting a vulnerability in the implementation, though, an attacker can actually use this imprisoned state to gain an enormous advantage, escalating their privileges from a restricted FTP account to `root`. This allows the attacker to execute arbitrary code on the system. This vulnerability was present in the FreeBSD FTP daemon for a long time. It can be tracked back to FreeBSD 6.3-Release. The bug is assigned as CVE-2020-7468/ZDI-20-1431 and the patch was released in September.
