Shulou(Shulou.com)05/31 Report--

CVE-2020-7468:FreeBSD ftpd chroot local rights loophole case analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Overview of vulnerabilities

In July, we received information from an anonymous researcher about a local privilege escalation vulnerability in FreeBSD, a vulnerability in FreeBSD's File transfer Protocol daemon (ftpd). Ftpd provides a feature called ftpchroot, which is designed to restrict authenticated users' access to the file system. This feature is implemented using the "chroot" system call, a security technology commonly known as "chroot jail", where chroot jail can restrict processes to run in restricted parts of the file system. However, with the help of this vulnerability, an attacker can actually take advantage of this "imprisoned" state to perform various illegal operations, elevate his privileges from a restricted FTP account to "root" privileges, and allow the attacker to execute arbitrary code on the target system. This vulnerability has existed in FreeBSD FTP daemons for a long time and can be traced back to FreeBSD version 6.3. Currently, this vulnerability is marked as CVE-2020-7468/ZDI-20-1431, and the patch was officially released in September this year.

Loophole analysis

The root cause of this vulnerability is a design flaw in freebsd/libexec/ftpd/ftpd.c 's chroot () function when doing business processing. The following is a simplified version of the function with vulnerabilities:

Void pass (char * passwd) {/ /. If (guest | | dochroot) {/ /... / * * Finally, dochroot () * / if (chroot (chrootdir)

< 0) { reply(550, "Can't change root."); goto bad; } __FreeBSD_libc_enter_restricted_mode(); } else /* real user w/o chroot */ homedir = pw->

Pw_dir;//... If (chdir (homedir) < 0) {if (guest | | dochroot) {reply (550, "Can't change to base directory."); goto bad;} else {/ /...} /. Bad: / * Forget all about it... * / # ifdef LOGIN_CAP login_close (lc); # endif if (residue) free (residue); end_login ();}

If the FTP user tries to log in and is configured to chroot jail in / etc/ftpchroot, then ftpd will call chroot and chdir system calls). If the chdir system call fails, the code jumps to the label bad. In this case, ftpd still waits for a new login, but the connection is locked in the chroot jail. At this point, it will cause the next login attempt on the connection to cause an error behavior.

Vulnerability exploitation

To force the chdir system call to fail during login, an attacker can use the command chmod 0 to change permissions on the home directory. In addition, the attacker will upload the file "etc/spwd.db" related to the home page directory. This file is a password database for a modified regular FreeBSD system that contains a known password for the root user. When the chdir call fails, the ftpd is locked in the chroot jail so that all subsequent file system accesses are related to the user's home directory rather than the real file system root path. In this way, when authenticating subsequent logins, ftpd reads the attacker's spwd.db instead of the / etc/spwd.db stored in the file system's real root directory. At this point, the attacker can log in as root with a known password.

Next, the attacker needs to upload / etc/pam.d/ftpd and / usr/lib/pam_opie.so.5. The first file allows ftpd to load multiple dynamic libraries during the login process, including this second file. The second file is designed to break through chroot jail and perform reverse Shell with the root permissions that have been obtained. The attacker can then execute arbitrary code with root privileges.

The steps to exploit the vulnerability are as follows:

Log in through a restricted FTP account.

Upload an etc/spwd.db that contains a known root password.

Execute "chmod 0".

Log in again with a restricted FTP account. During the login process, chdir execution failed, causing the ftpd process to be locked in chroot jail.

Log in as root with a known password.

Upload / etc/pam.d/ftpd and / usr/lib/pam_opie.so.5, which contains a reverse Shell.

Log in as a restricted FTP account again. As before, chdir execution failed, causing the ftpd process to be locked in chroot jail.

Log in as root with a known password. The ftpd executes the reverse Shell.

Vulnerability repair

To solve this problem, FreeBSD has modified its functional implementation code, and if the chdir system call fails, ftpd will disconnect immediately:

Void fatalerror (char * s) {reply (451, "Error in server:% s", s); reply (221, "Closing connection due to server error."); dologout (0); / * NOTREACHED * /} void pass (char * passwd) {/ /. If (chdir (homedir) < 0) {if (guest | | dochroot) {fatalerror ("Can't change to base directory.");} else {/ /...} summary

This vulnerability is a logical privilege vulnerability, so it is very stable, and this vulnerability is different from the FreeBSD kernel privilege vulnerability (CVE-2020-7460) released in September.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.