[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Mac/PC NCSA Telnet Vulnerability

Title: Mac/PC NCSA Telnet Vulnerability
Released by: CERT
Date: 10th September 1991
Printable version: Click here 
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



===========================================================================

CA-91:15

Last Revised:  September 18,1997                

                Attached copyright statement

            

                               CERT Advisory

                               September 10, 1991

                        Mac/PC NCSA Telnet Vulnerability



- ---------------------------------------------------------------------------



The Computer Emergency Response Team/Coordination Center (CERT/CC) has

received information concerning a vulnerability in the default

configurations of National Center for Supercomputing Applications

(NCSA) Telnet for both the Macintosh and the PC.  The vulnerability

also affects the version of NCSA Telnet with IBM 3270 terminal

emulation distributed by Clarkson University.  Two workarounds are

available that correct this problem.



NCSA has committed to changing the default configurations in future

releases.  Maintenance updates for both the Macintosh and the PC are

planned to be released in about 2 months.



NCSA provides two e-mail addresses for Telnet questions, comments,

and bug reports:



     PC Telnet          pctelnet@ncsa.uiuc.edu

     Mac Telnet         mactelnet@ncsa.uiuc.edu



- ---------------------------------------------------------------------------



I.   Description



     The default configuration of NCSA Telnet for both the Macintosh

     and the PC has a serious vulnerability in its implementation of

     an ftp server.



     The default configuration file enables ftp via the "ftp=yes"

     line.  However, sites should be aware that ftp is also enabled

     in the absence of any ftp statement in the configuration file.



II.  Impact



     Any Internet user can connect via ftp to a PC or Macintosh

     running the default configuration of NCSA Telnet and gain

     unauthorized read and write access to any of its files, including

     system files.



III. Solution

        

     Either disable ftp server functionality or provide password

     protection as described below.



     To disable the ftp server, add an "ftp=no" line in the

     configuration file.



     If the ftp server option is enabled (via either an "ftp=yes" line 

     in the configuration file or the absence of an ftp statement in the 

     configuration file), then the Telpass program (included with both 

     Mac and PC versions) can be used to provide password protection.  

     Telpass is used to enter usernames and encrypted passwords into a 

     password file.  The configuration file specifies the name and 

     location of the password file in the "passfile=" statement.  The 

     usage of Telpass is documented in Chapter 5 of version 2.4 of the 

     Macintosh version documentation and Chapter 7 of version 2.3 of the 

     PC version.  Note that the documentation (as well as the package 

     itself) is available by anonymous ftp from ftp.ncsa.uiuc.edu 

     (141.142.20.50).



     The instructions for enabling password protection differ between

     the Macintosh and PC versions, but in both cases they involve

     enabling the "passfile" option in the configuration file, and

     creating usernames and encrypted passwords with the Telpass

     program.  



     CERT/CC strongly urges all sites running NCSA Telnet to implement

     one of these two workarounds.



- ---------------------------------------------------------------------------

The CERT/CC would like to thank NCSA and Clarkson University for their

assistance.

- ---------------------------------------------------------------------------



If you believe that your system has been compromised, contact CERT/CC via

telephone or e-mail.



Computer Emergency Response Team/Coordination Center (CERT/CC)

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890



Internet E-mail: cert@cert.org

Telephone: 412-268-7090 24-hour hotline:

           CERT/CC personnel answer 7:30a.m.-6:00p.m. EDT,

           on call for emergencies during other hours.



Past advisories and other computer security related information are available

for anonymous ftp from the cert.org (192.88.209.5) system.



- -----------------------------------------------------------------------------

        



Copyright 1991 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision History:



September 18,1997  Attached Copyright Statement



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBS9RFr9kb5qlZHQEQIGvwCfbLah8CYHX27qHOPUKiedec5UAW0AoO35

jEaKf+wo4rmNbuyefSxHvYTh

=ModJ

-----END PGP SIGNATURE-----






(C) 1999-2000 All rights reserved.