27 Years old Telnet Vulnerability Enables Attackers to Gain Root Access
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A newly confirmed vulnerability in the telnet daemon (telnetd) in GNU Inetutils<\/a> has revived a 27-year-old security flaw, allowing attackers to gain root access by exploiting improper sanitization of environment variables, with no authentication required.<\/p>\n Tracked as\u00a0CVE-2026-24061, the flaw exists in GNU Inetutils through version 2.7 and enables remote authentication bypass when a malicious client supplies\u00a0 This discovery, reported by security researcher Ron Ben Yizhak, prompted a deeper investigation into whether the ghost of\u00a0CVE-1999-0073,\u00a0a 1999 vulnerability allowing attackers to inject environment variables like\u00a0 The core problem lies in how telnetd launches\u00a0 This value is critical when positive,\u00a0 With\u00a0 Although a recent commit ( An attacker can inject GNU gettext-specific variables such as\u00a0 Since\u00a0 In a demonstrated proof of concept by Justin Swartz<\/a>, a low-privileged local user ( When\u00a0 The resulting binary ran with\u00a0 Researchers suggest consolidating a single CVE for \u201cImproper environment sanitization in telnetd\u201d to cover both the\u00a0 The recommended remediation moves away from the flawed blacklist model entirely. Following the\u00a0OpenSSH\u00a0AcceptEnv-style approach, building a strict whitelist of safe environment variable names for\u00a0\/bin\/login, paired with rigorous input sanitization on their values, is considered the only reliable long-term fix.<\/p>\n Organizations still running telnet services are urged to disable telnetd immediately and migrate to SSH. Where telnet cannot be avoided, upgrading GNU Inetutils and applying strict network-level access controls is essential until a comprehensive patch is released.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post 27 Years old Telnet Vulnerability Enables Attackers to Gain Root Access<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\"-f root\"<\/code>\u00a0as the value for the\u00a0USER<\/code>\u00a0environment variable.<\/p>\nLD_LIBRARY_PATH<\/code>\u00a0to subvert system libraries \u2014 still haunted modern telnet implementations.<\/p>\n\/bin\/login<\/code>. Because both processes run in a root-to-root context, the Linux kernel sets\u00a0AT_SECURE<\/code>\u00a0to\u00a00\u00a0in the process\u2019s auxiliary vector.<\/p>\nAT_SECURE<\/code>\u00a0signals the dynamic linker (ld-linux.so<\/code>) and glibc to enter\u00a0secure-execution mode, which automatically discards or neutralizes dangerous environment variables like\u00a0LD_LIBRARY_PATH<\/code>,\u00a0GCONV_PATH<\/code>, and others.<\/p>\nAT_SECURE<\/code>\u00a0at zero, the dynamic linker treats the session as fully trusted, meaning\u00a0every environment variable passed by a telnet client is accepted without restriction. This shifts the burden of sanitization entirely onto telnetd itself a responsibility it fails to meet.<\/p>\n4db2f19f<\/code>) introduced\u00a0unsetenv(\"CREDENTIALS_DIRECTORY\")<\/code>\u00a0to address part of the problem, the fix remains dangerously incomplete. Telnetd currently attempts to block harmful variables using a blacklist approach, filtering by prefix or full variable name. Researchers have confirmed this is insufficient.<\/p>\nOUTPUT_CHARSET<\/code>\u00a0and\u00a0LANGUAGE<\/code>, alongside the glibc variable\u00a0GCONV_PATH<\/code>, directly through the telnet protocol. By declaring a character set mismatch (e.g., injecting\u00a0ISO-8859-1<\/code>\u00a0against a UTF-8 system), an attacker tricks gettext into calling\u00a0iconv_open()<\/code>.<\/p>\nAT_SECURE<\/code>\u00a0is 0,\u00a0iconv_open()<\/code>\u00a0blindly follows the attacker-supplied\u00a0GCONV_PATH<\/code>\u00a0to locate a custom\u00a0gconv-modules<\/code>\u00a0file \u2014 and from there,\u00a0loads arbitrary shared objects as root.<\/p>\n27 Years old Telnet Vulnerability PoC<\/strong><\/h2>\n
abuser<\/code>) injected environment variables through a standard telnet session to load a malicious shared library (libcash2trash.so<\/code>).<\/p>\n\/bin\/login<\/code>\u00a0attempted to display a localized prompt, gettext triggered the exploit chain. The payload executed silently before the connection dropped \u2014 copying\u00a0\/bin\/sh<\/code>\u00a0with SUID\/SGID permissions.<\/p>\neuid=0 (root)<\/code>\u00a0and\u00a0egid=0 (root)<\/code>, granting full root privileges to the unprivileged user.\u00a0No telnetd authentication was performed or required.<\/p>\nCREDENTIALS_DIRECTORY<\/code>\u00a0vector and this dynamic linker escape comprehensively.<\/p>\n