diff --git a/src/network-services-pentesting/pentesting-telnet.md b/src/network-services-pentesting/pentesting-telnet.md index 848bee43ad5..18e74cc0f1a 100644 --- a/src/network-services-pentesting/pentesting-telnet.md +++ b/src/network-services-pentesting/pentesting-telnet.md @@ -108,9 +108,23 @@ Keep these CVEs in mind during vulnerability triage—if the target is running a ### CVE-2026-24061 — GNU Inetutils telnetd auth bypass (Critical) -**Summary:** `telnetd` in GNU Inetutils through **2.7** allows **remote authentication bypass** via a `USER` environment variable value of `-f root`, resulting in unauthenticated root access. -**Root cause:** argument injection (CWE-88) because `telnetd` forwards the client-supplied `USER` environment variable to `login` without sanitization. -**Scope:** GNU Inetutils `telnetd` versions **1.9.3–2.7** are affected (published **January 21, 2026**). +**Primitive:** Telnet **NEW_ENVIRON** lets clients push environment variables during option negotiation; inetutils `telnetd` substitutes `%U` in its login template with `getenv("USER")` and passes it directly to `/usr/bin/login`, enabling **argv-level option injection** (no shell expansion). +**Root cause:** versions **1.9.3–2.7** expand `%U` without filtering, so a `USER` value beginning with `-` is parsed as a `login` flag. For example, `%U` becomes `-f root`, yielding `/usr/bin/login -h "-f root"` and **skipping authentication** via `login -f`. + +**Exploit flow:** +1. Connect to the Telnet service and negotiate **NEW_ENVIRON** to set `USER=-f root`. +2. `telnetd` builds the login argv including the attacker-controlled `%U` value. +3. `/usr/bin/login` interprets `-f root` as "pre-authenticated user root" and spawns a root shell. + +**PoC** + +```bash +# Inject USER via NEW_ENVIRON and obtain a root shell +USER='-f root' telnet -a +``` + +**Patch note:** inetutils **2.7-2** introduces a `sanitize()` helper that rejects values starting with `-` or containing whitespace/metacharacters before substituting them into the login argv, blocking option injection. +**Detection/verification:** identify exposed daemons with `telnetd --version`, `dpkg -l | grep inetutils`, `systemctl status inetutils-telnetd`, or `netstat -tlnp | grep :23`. **Mitigations** @@ -164,12 +178,13 @@ After a shell is obtained remember that **TTYs are usually dumb**; upgrade with ## References -* D-Link Advisory – CVE-2024-45698 Critical Telnet RCE. -* NVD – CVE-2022-39028 inetutils `telnetd` DoS. -* NVD – CVE-2026-24061. -* Canadian Centre for Cyber Security Alert AL26-002 (CVE-2026-24061). -* Debian Security Tracker – CVE-2026-24061 fixed versions. - +* [OffSec – CVE-2026-24061 – GNU InetUtils telnetd Authentication Bypass Vulnerability](https://www.offsec.com/blog/cve-2026-24061/) +* [Inetutils sanitize() fix (ccba9f748aa8d50a38d7748e2e60362edd6a32cc)](https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc) +* [NVD – CVE-2026-24061](https://nvd.nist.gov/vuln/detail/CVE-2026-24061) +* [Debian Security Tracker – CVE-2026-24061](https://security-tracker.debian.org/tracker/CVE-2026-24061) +* [Canadian Centre for Cyber Security Alert AL26-002 (CVE-2026-24061)](https://www.cyber.gc.ca/en/alerts-advisories/alert-AL26-002) +* [NVD – CVE-2022-39028 inetutils `telnetd` DoS](https://nvd.nist.gov/vuln/detail/CVE-2022-39028) +* [NVD – CVE-2024-45698 D-Link DIR-X4860 Telnet RCE](https://nvd.nist.gov/vuln/detail/CVE-2024-45698) {{#include ../banners/hacktricks-training.md}}