TUCoPS :: Macintosh :: ciac-mac.txt

NCSA Telnet




                     AND IBM PC'S RUNNING NCSA TELNET 

The DOE Computer Incident Advisory Capability (CIAC) has learned of a serious
vulnerability in Telnet software made by NCSA that runs on both Macintosh and
IBM PCs. This vulnerability enables anyone on a system that has network access
to a Macintosh or IBM PC running NCSA Telnet to access that particular type of
computer without a password, and copy, change, or delete files on it. Please
note that the potential exists for any node on the network (i.e. the world) to
have this accessibility.  Access to the Macintosh or IBM PC is via FTP on the
host. The Macintosh or IBM PC will then execute FTP commands if NCSA Telnet is
running on it, even if NCSA Telnet is running in the background (e.g., under
MultiFinder on the Macintosh).  Once access is gained, files can be copied to
or from the Macintosh or IBM PC. 

Whether Macintosh or IBM PCs at your site have this vulnerability depends on
how NCSA Telnet was installed.  Your systems are vulnerable if you are missing
the line: 


in your config.tel file.  The line "ftp=no" can be used to disable ftp.
Even if this line is included, however, your system could still be vulnerable,
since this command is easily overridden while NCSA Telnet is running by
selecting "FTP Enable" in the File menu.  

NCSA Telnet is delivered with the 'passfile="filename"' line commented out of 
the config.tel file using the # sign as: 


When the passfile line is omitted or commented out, FTP transfers are enabled
without requiring the use of passwords.  If the Macintosh or IBM PCs at your
site are subject to this vulnerability, CIAC recommends that you ensure the
passfile="filename" line is included in the configuration file, where
"filename" (quotes required) can either specify a dummy file name or a valid
password file.   You should use a dummy file name when NCSA Telnet is not being
used to assure that users do not enable NCSA Telnet without first making a
password file.  Using a dummy file name will turn on password checking which
effectively disables FTP.  However, if you plan to use NCSA Telnet, you should:

    1)  make an encrypted password file using Telpass, and 

    2)  use a complete pathname specification for the file name 
        (e.g., \etc\passwd). 

By including the passfile line in config.tel, someone who wants to use FTP must
either delete the passfile line in the config.tel file or create a password

For further information, please contact Gene Schultz, CIAC Manager, at
(415) 422-8193 or (FTS) 532-8193, or send e-mail to: 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986- AOH