Kevin BeaumontJan 20

lol https://seclists.org/oss-sec/2026/q1/89

telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter.

If the client supply a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes

In telnetd for a decade πŸ’€

oss-sec: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd

Show threadKevin BeaumontJan 20
Bug was introduced after this report https://lists.gnu.org/archive/html/bug-inetutils/2014-12/msg00012.html
Re: [bug-inetutils] inetutils-telnet always prompt entering username eve

Show threadSpeed demon πŸ‡ͺπŸ‡Ί πŸ‡³πŸ‡΄πŸ‡ΊπŸ‡¦πŸ‡΅πŸ‡Έ
@GossiTheDog On the bright side, the discussion from before this bug was introduced said: "I see that you are connecting to the localhost. That is fine. But note that
telnet really is not suitable for the hostile Internet anymore. For that
always use a secure connection such as ssh. Note also that ssh can use ssh
keys for a secure no password login. I suggest that regardless of other things
that you convert from telnet to ssh for your remote login uses."
Jan 20 at 9:00pmWeb