Kevin BeaumontJan 20

lol https://seclists.org/oss-sec/2026/q1/89

telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter.

If the client supply a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes

In telnetd for a decade 💀

oss-sec: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd

Show threadKevin BeaumontJan 20
Bug was introduced after this report https://lists.gnu.org/archive/html/bug-inetutils/2014-12/msg00012.html
Re: [bug-inetutils] inetutils-telnet always prompt entering username eve

Show threadKal FeherJan 20

@GossiTheDog When shellshock dropped I was truly surprised env vars were accepted server side for so many installs.

And now we go further back in time to even more careless network configs.

Way back in 1999 I argued a telco should switch from telnet to ssh. I lost that argument bc ppl didnt want to install the ssh client and FW rules were written and rhosts was so convenient.

I don't wish an incident on any operators out there, but I really would like to see telnet installs burn.

Show threadIain CollinsJan 21

@kalfeher @GossiTheDog Oh man, even in 1998 I was using SSH (with an RSA 2FA credit card from factor token) as a Sysadmin to sign into our servers at Scottish Telecom.

Lots of weirdos in telcos though (as someone who did that for 15+ years).

I am mad about the telnet client not shipping in modern UNIX distros by default though, it's still sometimes useful to be able to connect to a port and send commands.

Show threadKal Feher
@iaincollins @GossiTheDog ‘nc’ is probably a better choice for port testing and is likely to be available on most distros
Jan 21 at 4:45pmWeb
Show threadIain CollinsJan 21
@kalfeher @GossiTheDog I'd rather that systems just included telnet, in the same way I want them to ship with a bunch of other very small standard utilities because after shipping stuff on a couple of dozen Unix platforms over 30 years it's annoying every time one of them decides to get cute and I have to stop and think "oh yeah I'm trying to do X on Y so I need to use Z".