Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

FreeBSD is a unix strand of OS. chroot is a system call is that meant to restrict access to the rest of the file system. In essence, it gives the user a pseudo-root directory. This is commonly referred to as chroot jail.

The FTP daemon for FreeBSD had an option to use chroot a user into a particular part of the file system. This is where the bug exists! Who would think to find a privilege escalation in a chrooted FTP implementation!?

The logic checks to see if the chrdir (chroot directory) is accessible. If this fails, it jumps to some unintended code at a goto label. Now, ftpd still awaits a new login, but the connection is already locked inside the chroot jail from the previous logic. This causes incorrect behavior during the next login attempt on that connection.

An attacker can make chdir fail by using chmod 0. Why is having this fail useful? The ftpd itself gets trapped in chroot jail!

So, later, when authentication checks are done, they are done within the chrooted directory! This means that we can control the root credentials being used, on the next authentication login.

Now, we can upload libraries that act as replacements to normal daemon libraries. If we add a reverse shell to one of these, we end up as the non-chrooted root user!

To me, the interesting part was that this issue was created because of a failure in one of the commands, while the other one succeeded. Just because you catch an error, does not mean that it is handled properly!