Share
## https://sploitus.com/exploit?id=6491506C-BB25-5B72-875E-6C91C69E60D8
# CVE-2026-28372 — GNU inetutils telnetd Privilege Escalation PoC

![CVE](https://img.shields.io/badge/CVE-2026--28372-critical-red)
![Platform](https://img.shields.io/badge/platform-linux-blue)
![Exploit](https://img.shields.io/badge/exploit-local--privilege--escalation-orange)
![Language](https://img.shields.io/badge/python-3.x-yellow)
![Status](https://img.shields.io/badge/status-POC-success)
![Author](https://img.shields.io/badge/author-Mohammed%20Idrees%20Banyamer-green)
![License](https://img.shields.io/badge/license-Research-lightgrey)

---

## 👤 Author

**Mohammed Idrees Banyamer**  
Jordan 🇯🇴  
Instagram: @banyamer_security  

Security Researcher | Offensive Security | Exploit Development

---

## 🧨 Exploit Title

**CVE‑2026‑28372 — GNU inetutils telnetd Privilege Escalation via CREDENTIALS_DIRECTORY + login.noauth**

---

## 📌 Overview

This Proof‑of‑Concept demonstrates a **Local Privilege Escalation** vulnerability in GNU inetutils `telnetd`.

`telnetd` improperly passes client‑controlled environment variables to `login(1)`.  
By setting:

```

CREDENTIALS_DIRECTORY=

```

and placing:

```

login.noauth = yes

````

authentication is bypassed, potentially granting a **root shell without a password**.

---

## ⚠️ Vulnerability Details

- **CVE:** CVE-2026-28372
- **Affected Software:** GNU inetutils telnetd ≤ 2.7
- **Condition:** util-linux version supporting `login.noauth`
- **Attack Type:** Local Privilege Escalation
- **CVSS:** 7.4 HIGH
- **CWE:** CWE‑829

---

## 🎯 Affected Systems

- Linux systems running:
  - inetutils‑telnetd ≤ 2.7
  - util-linux ≥ ~2.40
- Ubuntu / Debian derivatives (tested)

---

## 🔬 Exploit Mechanism

### Root Cause

`telnetd → login(1)` environment variable trust issue.

### Attack Chain

1. Attacker creates controlled directory
2. Places `login.noauth` file with value `yes`
3. Injects environment variables via Telnet NEW‑ENVIRON option
4. `login` reads attacker-controlled credentials directory
5. Authentication bypass → root shell

---

## 🧭 PoC Flow Diagram

```mermaid
flowchart TD

A[Unprivileged User] --> B[Create fake credentials directory]
B --> C[Place login.noauth = yes]
C --> D[Connect to telnetd]
D --> E[Inject ENV variables]
E --> F[Set CREDENTIALS_DIRECTORY]
F --> G[telnetd calls login]
G --> H[login reads login.noauth]
H --> I[Authentication bypass]
I --> J[Root shell obtained]
````

---

## ▶️ Usage

### Requirements

* Python 3
* Running telnetd service
* Local access

### Run PoC

```bash
python3 cve-2026-28372.py
```

Optional parameters:

```bash
python3 cve-2026-28372.py --host 127.0.0.1 --port 23 --user root
```

---

## 🧪 Exploit Steps Performed Automatically

✔ Create attacker-controlled credentials directory
✔ Generate `login.noauth` bypass file
✔ Connect to telnetd
✔ Inject malicious environment variables
✔ Attempt authentication bypass

---

## 🛡️ Mitigation

### Immediate Fix

* Apply patches after inetutils 2.7
* Sanitize environment variables
* Unset dangerous variables:

```
unsetenv("CREDENTIALS_DIRECTORY")
```

### Recommended

* Disable telnet service
* Use SSH instead
* Restrict local services
* Monitor environment variable injection

---

## 📚 Technical Notes

* Requires local file write access
* telnetd must spawn `/bin/login` or `/usr/bin/login`
* Real-world exploitation depends on service exposure

---

## ⚖️ Disclaimer

This PoC is provided for:

* Security research
* Defensive purposes
* Authorized testing environments only

Unauthorized use is prohibited.

---

## ⭐ Credits

Discovered & Researched by:

**Mohammed Idrees Banyamer**
banyamer_security