Mastodawn

lol https://seclists.org/oss-sec/2026/q1/89

telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter.

If the client supply a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes

In telnetd for a decade 💀

oss-sec: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd

Kevin Beaumont Jan 20

Bug was introduced after this report https://lists.gnu.org/archive/html/bug-inetutils/2014-12/msg00012.html

Re: [bug-inetutils] inetutils-telnet always prompt entering username eve

Kevin Beaumont Jan 20

For elder security greybeards, you may remember this is almost the exact same bug that Solaris introduced a decade before 🫡 and AIX introduced the decade before that.

Kevin Beaumont Jan 26

The telnetd vuln has a CVE now - CVE-2026-24061

Proof of concept: https://github.com/SafeBreach-Labs/CVE-2026-24061/blob/main/telnet_rce.py

CVE-2026-24061/telnet_rce.py at main · SafeBreach-Labs/CVE-2026-24061

Exploitation of CVE-2026-24061. Contribute to SafeBreach-Labs/CVE-2026-24061 development by creating an account on GitHub.

GitHub

Matt Palmer Jan 20

@GossiTheDog gotta respect the classics.

@GossiTheDog and was inherited from the BSD r(sh|exec|login) utilities before that.

Derek Robson Jan 20

@GossiTheDog why are you making me feel old?

noplasticshower Jan 20

@GossiTheDog yup

@GossiTheDog Gotta recycle your thrash!

Stuart Longland (VK4MSL)Jan 20

@GossiTheDog I think this is reflective of the number of users that `telnetd` had in 2014. Low number of users → lower probability of reviews picking up an issue.

(I recognise this doesn't catch everything… Heartbleed and Shellshock being two counter-examples.)

Don't know about others, but I'd completely moved to using `sshd` a decade before that. I didn't use `telnet` for anything meaningful, it was `ssh` all the way.

@GossiTheDog Probably a special request from the certification exam providers so they can replace the ageing Solaris boxes in their exam rigs.

Can Acar Jan 21

@GossiTheDog just reading this it sounded like the telnet bug.

Paul_IPv6 Jan 21

if we ever learned from previous mistakes, vendors might have to actually work hard to introduce truly new bugs. ;)

@GossiTheDog i remember

ctrl-k x Jan 21

@GossiTheDog I remember our firewall-less Solaris 10 systems being immune not due to patching or anything like that but because of a custom patched login that caused the exploits to fail and we absolutely took the wrong lesson from this and are still repeating that wrong lesson nearly 20 years later.

Martin Seeger Jan 21

@GossiTheDog Ah, sweet memories 😏

Robert Brown Jan 21

@GossiTheDog reminds me a bit of 1994’s rlogin -l -froot

Catcrimes Jan 21

@GossiTheDog Ah, it's a classic!

Speed demon 🇪🇺 🇳🇴🇺🇦🇵🇸Jan 20

@GossiTheDog On the bright side, the discussion from before this bug was introduced said: "I see that you are connecting to the localhost. That is fine. But note that
telnet really is not suitable for the hostile Internet anymore. For that
always use a secure connection such as ssh. Note also that ssh can use ssh
keys for a secure no password login. I suggest that regardless of other things
that you convert from telnet to ssh for your remote login uses."

Kal Feher Jan 20

@GossiTheDog When shellshock dropped I was truly surprised env vars were accepted server side for so many installs.

And now we go further back in time to even more careless network configs.

Way back in 1999 I argued a telco should switch from telnet to ssh. I lost that argument bc ppl didnt want to install the ssh client and FW rules were written and rhosts was so convenient.

I don't wish an incident on any operators out there, but I really would like to see telnet installs burn.

Iain Collins Jan 21

@kalfeher @GossiTheDog Oh man, even in 1998 I was using SSH (with an RSA 2FA credit card from factor token) as a Sysadmin to sign into our servers at Scottish Telecom.

Lots of weirdos in telcos though (as someone who did that for 15+ years).

I am mad about the telnet client not shipping in modern UNIX distros by default though, it's still sometimes useful to be able to connect to a port and send commands.

Kal Feher Jan 21

@iaincollins @GossiTheDog ‘nc’ is probably a better choice for port testing and is likely to be available on most distros

Iain Collins Jan 21

@kalfeher @GossiTheDog I'd rather that systems just included telnet, in the same way I want them to ship with a bunch of other very small standard utilities because after shipping stuff on a couple of dozen Unix platforms over 30 years it's annoying every time one of them decides to get cute and I have to stop and think "oh yeah I'm trying to do X on Y so I need to use Z".

@GossiTheDog Ohhhhh sneaky

Morten Linderud Jan 20

@GossiTheDog
Honey, wake up. New sudo just dropped.

schrotthaufen Jan 20

@GossiTheDog I especially love the “carefully crafted” part.

NosirrahSec 🏴‍☠️ guillotine enthusiast Jan 20

@schrotthaufen @GossiTheDog I swear to fuck the people that write some things up just use words without knowing what they mean.

"carefully crafted web requests" is my favorite shit ever.

They meant to say, "any skiddy from the 90s that remembers their first directory traversal exploitation they did by accident and didn't even have a name for it yet can do."

Face Thumb Jan 20

@NosirrahSec @schrotthaufen @GossiTheDog I only use artisan crafted web requests typed out on an antique mechanical typewriter on the shores of a fjord in Norway.

NosirrahSec 🏴‍☠️ guillotine enthusiast Jan 20

@chrisp @schrotthaufen @GossiTheDog Ooooh, that's fancy! Is that also organic, or do you use paper that is from genetically modified trees to type on?

NosirrahSec 🏴‍☠️ guillotine enthusiast Jan 20

thepwnicorn Jan 20

@GossiTheDog Uuuh ... that's not ... I ... ok. Who thought this was a good idea?

The Penguin of Evil Jan 20

@GossiTheDog Hilarious because the same bug was present and fixed in SYS5 Unix boxes many many years before where you could login with options

Paul Barnfather Jan 20

@GossiTheDog ooh, the old classics are back in fashion!

Thomas Depierre Jan 20

@GossiTheDog this or equivalent has *definitely* not been used by people I may have acquitances with for the past few years in order to work around some really broken processes to control remote access to servers, making them unmanageable otherwise....

Face Thumb Jan 20

@GossiTheDog I wonder if 3 letter agencies knew about this? And I wonder if they've used it against a handful of industrial sites over the years? And it is probably close to useless these days as most people have hopefully moved on to SSH and VPNs?

Sam Easterby-Smith Jan 20

@chrisp @GossiTheDog most places? Oh my sweet summer child.

codehorse Jan 20

@GossiTheDog oh wow! I know some environments where telnet is still the go to remote access protocol

your auntifa liza 🇵🇷 🦛 🦦Jan 20

@GossiTheDog i don’t even remember the last time i used telnet

@blogdiva @GossiTheDog I use it all the time*

* on embedded devices which are in no way allowed anywhere near the internet

Clemens Zauner Jan 20

@blogdiva
I use that quite often. Telnet is the lingua franca understood by infrastructure devices.

Yes, it's only open towards the OOBM network, which is separate and only reachable via jump-hosts ...

given that many of these devices sport a Linux for management, I expect quite some patching in the near future.

Maypop the Dragon Jan 21

@blogdiva @GossiTheDog i used it to read https://anewsession.com

New Session – TTY Real

@blogdiva @GossiTheDog I've only ever used it when I was testing a webserver implementation and had to hand-write some HTTP requests. Never actually used telnetd

Reed Mideke Jan 20

@GossiTheDog This one have a fancy name / logo yet? If not, I humbly submit "frootgun"

@GossiTheDog I vaguely recall doing a similar hack with TERM as that was the only variable passed thru telnetd to the shell unfiltered. Sadly I no longer remember the details, but something along the lines of TERM='vt100;dosomething'

@GossiTheDog, nothing with inetutils-telnetd here, but I have one box with telnetd-ssl so I tested anyway just to see how it responds: “I don't hear you!” and disconnection.

Hubert Figuière Jan 20

@GossiTheDog that remind me of an AIX bug in 1995. `rlogin -f root` and voila.

Fuck I'm old too.

Todd Knarr Jan 20

@GossiTheDog One hopes the number of people still running telnetd is in the low single digits.

Cassandrich Jan 21

@GossiTheDog No, that's the thing. It doesn't pass it "as the last parameter". Instead it wrongly pastes it into the end of a shell command string (and without proper quoting) and tells the shell to parse it as a command. If it psssed it properly as the last parameter everything would be fine.

Leon P Smith Jan 21

@dalias @GossiTheDog my understanding is that "proper quoting" in a shell context is nigh impossible...

Cassandrich Jan 21

@leon_p_smith @GossiTheDog It's not difficult at all. One trivial way is putting ' at start and end after replacing every ' with '\''.

Cassandrich Jan 21

@leon_p_smith @GossiTheDog But the right solution is not to paste at all. Instead invoke the shell as something like "sh", "-c", "expanded_command_here", "sh", [parameters here] and insead of expanding % codes directly in the expanded command, replacing them with "$1", "$2", etc. to pull the parameters.

None of this is hard. It's something you should already know how to do right if you're invoking a shell from a potentially privileged context with data from another privilege domain. If you don't already know how to do it, you should not be touching software that runs in such a context.

Colin Watson Jan 21

@dalias @leon_p_smith @GossiTheDog That's perhaps a mild improvement, but still leaves you open to shell mistakes. Far better is to construct the correct argv array directly, as an array and _not_ as a string of shell input.

It is notable that the inetutils fix did not take this approach, but instead patches things up with (hopefully correct) argument sanitization. I'm not going to rag on people for making a mistake once, but after being bitten once they should really know better.

Cassandrich Jan 21

@cjwatson @leon_p_smith @GossiTheDog The approach I described is as an array, not a string of shell input. The expanded command doesn't contain any of the variable input text, just positional references to it.

Cassandrich Jan 21

@cjwatson @leon_p_smith @GossiTheDog As an example to see how this works, run:

sh -c 'echo "$1"' sh "foo bar"

Colin Watson Jan 21

@dalias @leon_p_smith @GossiTheDog I'm well aware of how it works. But if you don't have to involve the shell (and I can't see why it would be needed in the case at hand - the templating arrangement doesn't need to be particularly flexible), why bother introducing unnecessary complexity?

Cassandrich Jan 21

@cjwatson @leon_p_smith @GossiTheDog It's needed because -E takes a shell command string with special substitutions (bad interface choice someone made long ago).

Colin Watson Jan 21

@dalias @leon_p_smith @GossiTheDog There's still shell input there in the form of '"$1" "$2"' etc. Best to completely avoid the shell when it's unnecessary.

Big Kumera Energy Jan 21

@GossiTheDog has anyone actually fired up the telnet daemon at any point in the last ten years?

James Henstridge Jan 21

@GossiTheDog On the bright side, this avoids you having to send your credentials in clear text over the wire.

Paul Dot X Jan 21

@GossiTheDog going to maybe have some happy hunting on my corp master's network tomorrow..... :-)

@GossiTheDog to be fair, if you're running telnet and expecting security...