CVE-2020-7468: TURNING IMPRISONMENT TO ADVANTAGE IN THE FREEBSD FTPD CHROOT JAIL

December 21, 2020 | Lucas Leong

In July, we received a local privilege escalation bug in FreeBSD from an anonymous researcher. The target is the file transfer protocol daemon (ftpd) that ships as part of FreeBSD. It provides a feature, ftpchroot, that is designed to restrict the file system access of authenticated users. The feature is implemented using the “chroot” system call, a security technique commonly known as a “chroot jail”. A chroot jail functions by confining a process to a restricted portion of the filesystem. By exploiting a vulnerability in the implementation, though, an attacker can actually use this imprisoned state to gain an enormous advantage, escalating their privileges from a restricted FTP account to `root`. This allows the attacker to execute arbitrary code on the system. This vulnerability was present in the FreeBSD FTP daemon for a long time. It can be tracked back to FreeBSD 6.3-Release. The bug is assigned as CVE-2020-7468/ZDI-20-1431 and the patch was released in September.

d43K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2*7k6i4u0G2k6r3q4&6K9h3&6A6N6r3W2S2N6r3W2$3k6g2)9J5k6h3y4G2L8g2)9J5c8X3u0D9L8$3N6Q4x3V1j5J5x3o6t1H3i4K6u0r3x3e0u0Q4x3V1j5J5x3g2)9J5c8X3y4$3k6g2)9J5k6o6t1H3x3U0m8Q4x3X3b7%4y4o6j5^5i4K6u0V1N6s2g2J5L8X3W2F1k6#2)9J5k6r3W2E0M7s2u0A6M7$3!0F1L8h3g2F1N6q4)9J5k6s2c8G2i4K6u0V1j5h3c8$3j5h3&6@1j5h3N6W2i4K6u0V1K9h3&6Q4x3X3c8@1K9r3g2Q4x3X3c8X3M7X3g2W2j5Y4y4V1i4K6u0V1k6Y4c8H3k6q4)9J5k6r3y4Z5M7X3!0G2N6q4)9J5k6r3A6S2K9h3H3`.

[培训]科锐逆向工程师培训第53期2025年7月8日开班！