Share
## https://sploitus.com/exploit?id=B6E4E8D1-B299-56A2-9043-5FBF111F3729
# CVE-2026-32746 - telnetd LINEMODE SLC Buffer Overflow

Pre-authentication remote code execution via buffer overflow in GNU InetUtils telnetd's LINEMODE SLC (Set Local Characters) handler.

**CVSS 3.1:** 9.8 (Critical) | **CWE:** CWE-120, CWE-787

## Overview

The `add_slc()` function in `telnetd/slc.c` appends 3 bytes per SLC triplet to a fixed 108-byte buffer (`slcbuf`) without bounds checking. An unauthenticated attacker can send a crafted SLC suboption with 40+ triplets (function codes > 18/NSLC) during option negotiation - before any login prompt - overflowing the buffer, corrupting the `slcptr` pointer in BSS, and achieving an arbitrary write when `end_slc()` uses the corrupted pointer.

## Affected

- GNU InetUtils telnetd through 2.7 (all versions)
- Any telnetd derived from the BSD SLC codebase
- Patch expected by April 1, 2026

## What This PoC Does

- โœ… Triggers the buffer overflow and crashes telnetd (confirms vulnerability)
- โŒ Does NOT achieve code execution (no shellcode/ROP chain)

## Quick Start

```bash
# Build the vulnerable lab environment
docker compose up -d

# Detect (non-destructive)
python3 detect.py 127.0.0.1 2323

# Exploit (crashes telnetd - confirms vuln)
python3 exploit.py 127.0.0.1 2323

# Clean up
docker compose down
```

## Lab Environment

The Docker setup runs a Debian container with `inetutils-telnetd` 2.4 under `xinetd`, exposed on port 2323. Fully isolated - nothing touches your host.

## How It Works

1. Connect to telnetd and complete initial option negotiation
2. Client proactively sends `WILL LINEMODE` to trigger LINEMODE negotiation
3. Server responds with `DO LINEMODE` and enters SLC suboption processing
4. Client sends a crafted SLC suboption containing 40-60 triplets with function codes > 18 (NSLC)
5. `add_slc()` queues a "not supported" reply (3 bytes) for each triplet into a 104-byte buffer
6. After ~35 triplets, the buffer overflows, corrupting `slcptr` and adjacent BSS data
7. `end_slc()` writes the suboption end marker via the corrupted `slcptr` (arbitrary write)
8. telnetd crashes (or worse, depending on the overflow content)

## Files

| File | Description |
|------|-------------|
| `exploit.py` | PoC crash/DoS exploit |
| `Dockerfile` | Vulnerable telnetd lab |
| `docker-compose.yml` | One-command lab setup |
| `xinetd-telnet.conf` | xinetd service config |
| `detect.py` | Non-destructive version detection script |

## Developing an RCE Chain

To go beyond DoS, you would need to:

1. Map BSS layout (`slcbuf` โ†’ `slcptr` offset)
2. Control the value `end_slc()` writes via corrupted `slcptr`
3. Overwrite a GOT entry or function pointer
4. Redirect execution to shellcode or ROP chain

## References

- [Dream Advisory](https://dreamgroup.com/vulnerability-advisory-pre-auth-remote-code-execution-via-buffer-overflow-in-telnetd-linemode-slc-handler/)
- [GNU bug-inetutils Disclosure](https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html)
- [The Hacker News](https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html)
- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-32746)

## Disclaimer

This tool is provided for authorized security testing and educational purposes only. Do not use against systems you do not own or have explicit permission to test. The author is not responsible for misuse.

## Credits

- Vulnerability discovered by: Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel (DREAM Security Research Team)

## License

MIT