HackTricks-wiki · carlospolop · Jan 30, 2026
diff --git a/src/network-services-pentesting/pentesting-telnet.md b/src/network-services-pentesting/pentesting-telnet.md
@@ -108,9 +108,23 @@ Keep these CVEs in mind during vulnerability triage—if the target is running a
 
 ### CVE-2026-24061 — GNU Inetutils telnetd auth bypass (Critical)
 
-**Summary:** `telnetd` in GNU Inetutils through **2.7** allows **remote authentication bypass** via a `USER` environment variable value of `-f root`, resulting in unauthenticated root access.
-**Root cause:** argument injection (CWE-88) because `telnetd` forwards the client-supplied `USER` environment variable to `login` without sanitization.
-**Scope:** GNU Inetutils `telnetd` versions **1.9.3–2.7** are affected (published **January 21, 2026**).
+**Primitive:** Telnet **NEW_ENVIRON** lets clients push environment variables during option negotiation; inetutils `telnetd` substitutes `%U` in its login template with `getenv("USER")` and passes it directly to `/usr/bin/login`, enabling **argv-level option injection** (no shell expansion).
+**Root cause:** versions **1.9.3–2.7** expand `%U` without filtering, so a `USER` value beginning with `-` is parsed as a `login` flag. For example, `%U` becomes `-f root`, yielding `/usr/bin/login -h <hostname> "-f root"` and **skipping authentication** via `login -f`.
+
+**Exploit flow:**
+1. Connect to the Telnet service and negotiate **NEW_ENVIRON** to set `USER=-f root`.
+2. `telnetd` builds the login argv including the attacker-controlled `%U` value.
+3. `/usr/bin/login` interprets `-f root` as "pre-authenticated user root" and spawns a root shell.
+
+**PoC**
+
+```bash
+# Inject USER via NEW_ENVIRON and obtain a root shell
+USER='-f root' telnet -a <ip>
+```
+
+**Patch note:** inetutils **2.7-2** introduces a `sanitize()` helper that rejects values starting with `-` or containing whitespace/metacharacters before substituting them into the login argv, blocking option injection.
+**Detection/verification:** identify exposed daemons with `telnetd --version`, `dpkg -l | grep inetutils`, `systemctl status inetutils-telnetd`, or `netstat -tlnp | grep :23`.
 
 **Mitigations**
 
@@ -164,12 +178,13 @@ After a shell is obtained remember that **TTYs are usually dumb**; upgrade with
 
 ## References
 
-* D-Link Advisory – CVE-2024-45698 Critical Telnet RCE.
-* NVD – CVE-2022-39028 inetutils `telnetd` DoS.
-* NVD – CVE-2026-24061.
-* Canadian Centre for Cyber Security Alert AL26-002 (CVE-2026-24061).
-* Debian Security Tracker – CVE-2026-24061 fixed versions.
-
+* [OffSec – CVE-2026-24061 – GNU InetUtils telnetd Authentication Bypass Vulnerability](https://www.offsec.com/blog/cve-2026-24061/)
+* [Inetutils sanitize() fix (ccba9f748aa8d50a38d7748e2e60362edd6a32cc)](https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc)
+* [NVD – CVE-2026-24061](https://nvd.nist.gov/vuln/detail/CVE-2026-24061)
+* [Debian Security Tracker – CVE-2026-24061](https://security-tracker.debian.org/tracker/CVE-2026-24061)
+* [Canadian Centre for Cyber Security Alert AL26-002 (CVE-2026-24061)](https://www.cyber.gc.ca/en/alerts-advisories/alert-AL26-002)
+* [NVD – CVE-2022-39028 inetutils `telnetd` DoS](https://nvd.nist.gov/vuln/detail/CVE-2022-39028)
+* [NVD – CVE-2024-45698 D-Link DIR-X4860 Telnet RCE](https://nvd.nist.gov/vuln/detail/CVE-2024-45698)
 
 
 {{#include ../banners/hacktricks-training.md}}