# CVE-2020-7460: FreeBSD kernel privilege escalation.



## judd (Sep 3, 2020)

I found this article by browsing the web.

In August, an update to FreeBSD was released to address a time-of-check to time-of-use (TOCTOU) bug that could be exploited by an unprivileged malicious userspace program for privilege escalation. This vulnerability was reported to the ZDI program by a researcher who goes by the name m00nbsd. He has graciously provided this write-up and proof-of-concept code detailing ZDI-20-949/CVE-2020-7460.

The goal is to achieve kernel code execution on FreeBSD starting from an unprivileged user, using a TOCTOU vulnerability present in the 32-bit sendmsg() system call. This vulnerability has been assigned CVE-2020-7460 and affects all FreeBSD kernels since 2014. Before we get into the details, here’s a quick video showing the exploit in action. Continue reading ...

Source.


----------



## Dendros (Sep 3, 2020)

Every OS has these kinds of vulnerabilities. What really matters is that these are patched.


----------



## judd (Sep 3, 2020)

Dendros said:


> Every OS has these kinds of vulnerabilities. What really matters is that these are patched.



Clarification:
I hope you don't misunderstand, I just see it very descriptive, so I thought it was appropriate to share it, just that.


----------



## Dendros (Sep 3, 2020)

No problem at all, I get what you're saying. I just wanted to point out that there is no OS without vulnerabilities. 

This vulnerability does seem interesting although details are too technical. What I understood from this is that even a relatively simple part of an OS can be a source of vulnerabilities.


----------



## msplsh (Sep 3, 2020)

It's covered here









						FreeBSD-SA-20:23.sendmsg
					

When handling a 32-bit sendmsg(2) call, the compat32 subsystem copies the control message to be transmitted (if any) into kernel memory, and adjusts alignment of control message headers.  The code which performs this work contained a time-of-check to time-of-use (TOCTOU) vulnerability which...




					forums.freebsd.org


----------



## judd (Sep 3, 2020)

msplsh said:


> It's covered here
> 
> 
> 
> ...



Okay, I didn't know, I apologize.


----------

