By rssfeeds-admin 
Tracked as CVE-2026-24061, the flaw exists in GNU Inetutils through version 2.7 and enables remote authentication bypass when a malicious client supplies "-f root" as
USER environment variable.
This discovery, reported by security researcher Ron Ben Yizhak, prompted a deeper investigation into whether the ghost of CVE-1999-0073, a 1999 vulnerability allowing attackers to inject environment variables like LD_LIBRARY_PATH to subvert system libraries — still haunted modern telnet implementations.
The core problem lies in how telnetd launches /bin/login. Because both processes run in a root-to-root context, the Linux kernel sets AT_SECURE to 0 in the process’s auxiliary vector.
This value is critical when positive, AT_SECURE signals the dynamic linker (ld-linux.so) and glibc to enter secure-execution mode, which automatically discards or neutralizes dangerous environment variables like LD_LIBRARY_PATH, GCONV_PATH, and others.
With AT_SECURE at zero, the dynamic linker treats the session as fully trusted, meaning every environment variable passed by a telnet client is accepted without restriction. This shifts the burden of sanitization entirely onto telnetd itself a responsibility it fails to meet.
Although a recent commit (4db2f19f) introduced unsetenv("CREDENTIALS_DIRECTORY") to address part of the problem, the fix remains dangerously incomplete. Telnetd currently attempts to block harmful variables using a blacklist approach, filtering by prefix or full variable name. Researchers have confirmed this is insufficient.
An attacker can inject GNU gettext-specific variables such as OUTPUT_CHARSET and LANGUAGE, alongside the glibc variable GCONV_PATH, directly through the telnet protocol. By declaring a character set mismatch (e.g., injecting ISO-8859-1 against a UTF-8 system), an attacker tricks gettext into calling iconv_open().
Since AT_SECURE is 0, iconv_open() blindly follows the attacker-supplied GCONV_PATH to locate a custom gconv-modules file — and from there, loads arbitrary shared objects as root.
27 Years old Telnet Vulnerability PoC
In a demonstrated proof of concept by Justin Swartz, a low-privileged local user (abuser) injected environment variables through a standard telnet session to load a malicious shared library (libcash2trash.so).
When /bin/login attempted to display a localized prompt, gettext triggered the exploit chain. The payload executed silently before the connection dropped — copying /bin/sh with SUID/SGID permissions.
The resulting binary ran with euid=0 (root) and egid=0 (root), granting full root privileges to the unprivileged user. No telnetd authentication was performed or required.
Researchers suggest consolidating a single CVE for “Improper environment sanitization in telnetd” to cover both the CREDENTIALS_DIRECTORY vector and this dynamic linker escape comprehensively.
The recommended remediation moves away from the flawed blacklist model entirely. Following the OpenSSH AcceptEnv-style approach, building a strict whitelist of safe environment variable names for /bin/login, paired with rigorous input sanitization on their values, is considered the only reliable long-term fix.
Organizations still running telnet services are urged to disable telnetd immediately and migrate to SSH. Where telnet cannot be avoided, upgrading GNU Inetutils and applying strict network-level access controls is essential until a comprehensive patch is released.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post 27 Years old Telnet Vulnerability Enables Attackers to Gain Root Access appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.