Share
## https://sploitus.com/exploit?id=6491506C-BB25-5B72-875E-6C91C69E60D8
# CVE-2026-28372 — GNU inetutils telnetd Privilege Escalation PoC







---
## 👤 Author
**Mohammed Idrees Banyamer**
Jordan 🇯🇴
Instagram: @banyamer_security
Security Researcher | Offensive Security | Exploit Development
---
## 🧨 Exploit Title
**CVE‑2026‑28372 — GNU inetutils telnetd Privilege Escalation via CREDENTIALS_DIRECTORY + login.noauth**
---
## 📌 Overview
This Proof‑of‑Concept demonstrates a **Local Privilege Escalation** vulnerability in GNU inetutils `telnetd`.
`telnetd` improperly passes client‑controlled environment variables to `login(1)`.
By setting:
```
CREDENTIALS_DIRECTORY=
```
and placing:
```
login.noauth = yes
````
authentication is bypassed, potentially granting a **root shell without a password**.
---
## ⚠️ Vulnerability Details
- **CVE:** CVE-2026-28372
- **Affected Software:** GNU inetutils telnetd ≤ 2.7
- **Condition:** util-linux version supporting `login.noauth`
- **Attack Type:** Local Privilege Escalation
- **CVSS:** 7.4 HIGH
- **CWE:** CWE‑829
---
## 🎯 Affected Systems
- Linux systems running:
- inetutils‑telnetd ≤ 2.7
- util-linux ≥ ~2.40
- Ubuntu / Debian derivatives (tested)
---
## 🔬 Exploit Mechanism
### Root Cause
`telnetd → login(1)` environment variable trust issue.
### Attack Chain
1. Attacker creates controlled directory
2. Places `login.noauth` file with value `yes`
3. Injects environment variables via Telnet NEW‑ENVIRON option
4. `login` reads attacker-controlled credentials directory
5. Authentication bypass → root shell
---
## 🧭 PoC Flow Diagram
```mermaid
flowchart TD
A[Unprivileged User] --> B[Create fake credentials directory]
B --> C[Place login.noauth = yes]
C --> D[Connect to telnetd]
D --> E[Inject ENV variables]
E --> F[Set CREDENTIALS_DIRECTORY]
F --> G[telnetd calls login]
G --> H[login reads login.noauth]
H --> I[Authentication bypass]
I --> J[Root shell obtained]
````
---
## ▶️ Usage
### Requirements
* Python 3
* Running telnetd service
* Local access
### Run PoC
```bash
python3 cve-2026-28372.py
```
Optional parameters:
```bash
python3 cve-2026-28372.py --host 127.0.0.1 --port 23 --user root
```
---
## 🧪 Exploit Steps Performed Automatically
✔ Create attacker-controlled credentials directory
✔ Generate `login.noauth` bypass file
✔ Connect to telnetd
✔ Inject malicious environment variables
✔ Attempt authentication bypass
---
## 🛡️ Mitigation
### Immediate Fix
* Apply patches after inetutils 2.7
* Sanitize environment variables
* Unset dangerous variables:
```
unsetenv("CREDENTIALS_DIRECTORY")
```
### Recommended
* Disable telnet service
* Use SSH instead
* Restrict local services
* Monitor environment variable injection
---
## 📚 Technical Notes
* Requires local file write access
* telnetd must spawn `/bin/login` or `/usr/bin/login`
* Real-world exploitation depends on service exposure
---
## ⚖️ Disclaimer
This PoC is provided for:
* Security research
* Defensive purposes
* Authorized testing environments only
Unauthorized use is prohibited.
---
## ⭐ Credits
Discovered & Researched by:
**Mohammed Idrees Banyamer**
banyamer_security