Security Advisory: Minix FTP daemon (2005-03-17, update 2006-05-01)

modified: 1 May 2006

Important Note for Minix 3 users: The information on this page is relevant to some releases of Minix 3. A vulnerable binary version of the ftp daemon was erroneously distributed with some Beta versions of Minix 3.
[Minix 3 logo] The correct (updated) binary is installed from the Minix 3.1.0 CD-ROM included with the text Operating Systems Design and Implementation, 3rd edition, as well as the official 3.1.1 release. However, the source for the vulnerable version is supplied in /usr/src/commands/ftpd. The correct source is in /usr/src/commands/ftpd200. When recompiling commands care is required to be sure that the binary compiled from the newer source is installed.

Minix ftpd version 2.00 now available

Minix ftpd version 2.00 has been released and is now available here at /pub/contrib/ftpd200.tar.Z As usual a short descriptive text file is also available: /pub/contrib/ftpd200.txt. The newest version is also available from the site of the author, Michael Temari, as http://TemWare.com/files/ftpd.tar.Z.

Ftpd 1.00 and older versions vulnerable

If you are running an FTP server on a Minix system please be aware that a security vulnerability was discovered in ftpd version 1.00. It has been determined that the vulnerability was present in all earlier versions of ftpd, including those released with all versions of Minix 2.0.x through 2.0.4. The vulnerability was fixed with the release of ftpd 1.01 in early February 2005, at the same time that existence of the problem with earlier versions was announced on comp.os.minix and the minix-l mailing list. If you are running version 1.01 you are probably safe, but upgrading to version 2.00 is recommended. Version 1.01 was the result of a quick effort to fix the vulnerability, version 2.00 reimplements critical parts of the code.

Important: The vulnerability in earlier versions is present whether or not anonymous ftp service is offered. If you are running any version of ftpd previous to 1.01 on a networked system you must shut down FTP by disabling startup of the ftp daemon in /etc/rc (or /etc/rc.net in Minix 2.0.4) and you should make sure the ftp daemon cannot run, i.e., 'rm /usr/bin/in.ftpd'.

If you do not need ftp (or any other network service) you are safest if you do not allow the service to run at all and remove the executable from any directory from which it could be started.

Determining ftpd version:

The easiest way to determine the version of your ftpd is to connect with the Minix ftp client on the same system and issue a "status" command. This can be done even without logging in. Here's an example:

211-parsnip.woodhull.com( FTP server status:
    Version 2.00  Thu, 17 Mar 2005 20:03:30 EST
    Connected to
    Not logged in
    MODE: Stream
    TYPE: Ascii
211 End of status


All material on this site not otherwise attributed is copyright ©1994-2006 Albert S. Woodhull
Click here for information on copying and other use.
Mail comments on this page to: Al Woodhull <asw@woodhull.com>
[Viewable With Any Browser]
Valid CSS!
[Valid XHTML 1.0!]