minix 2.0.x remote root
A while ago a minix advisory got released about a pre-auth remote root vulnerability in the minix ftpd:
http://minix1.woodhull.com/news/ftpsecadv.html
the advisory intentionally left out the details so people running minix wouldn’t get hurt. The most hilarious part about that advisory is that they mention it also affected minix 3 AFTER it got fixed, since they shipped the vuln. binary with minix 3 by accident.
Since I indepentantly discovered this bug about 2 years ago, let me fill you in on the details, the minix ftpd implements site crc, which basicly gives you the crc32 of a file. The first bug (or feature, whatever) is that you can call that without logging in. The 2nd and totally idiotic bug is that it does the following:
system(”/bin/crc32 “);
This falls in the “I can’t believe they fucked it up” category.
I have it from reliable sources that ALL 3 minix boxes on the internet got compromised this way.
Tags: ilja