CVE-1999-1090

Step 1: Target Identification: The attacker identifies a system running NCSA Telnet for Macintosh or PC. This can be achieved through port scanning (port 21 for FTP). Step 2: FTP Connection: The attacker establishes an FTP connection to the vulnerable system using a standard FTP client. Step 3: Authentication Bypass: Because FTP is enabled by default and lacks proper access controls, the attacker does not need to authenticate. Step 4: File Access: The attacker uses standard FTP commands (e.g., GET, PUT, LIST) to read, write, and potentially modify files on the target system. Step 5: System Compromise: Depending on the accessed files, the attacker can gain further access, potentially leading to complete system compromise or data exfiltration.

The vulnerability stems from an insecure default configuration in NCSA Telnet. The software enables FTP functionality even without an explicit configuration directive. This implicit enablement allows attackers to bypass authentication and access the file system. The root cause is a design flaw where the FTP server is started by default, and the lack of a secure-by-default configuration allows unauthorized access. The absence of proper access controls and authentication mechanisms for FTP, coupled with the default enablement, creates a significant security gap. This is not a technical flaw like a buffer overflow or race condition, but rather a configuration issue that allows unintended functionality to be exposed.