Hi, I was wondering if it would be too much to ask. Couldn't I get a certificate, lol? To keep in my room? Like the first vulnerability I discovered in GNU/Linux. Sorry for the trouble, and thanks. Lol
El mar., 20 de enero de 2026 7:55 a. m., Simon Josefsson < [email protected]> escribió: > # GNU InetUtils Security Advisory: remote authentication by-pass in telnetd > > The telnetd server invokes /usr/bin/login (normally running as root) > passing the value of the USER environment variable received from the > client as the last parameter. > > If the client supply a carefully crafted USER environment value being > the string "-f root", and passes the telnet(1) -a or --login parameter > to send this USER environment to the server, the client will be > automatically logged in as root bypassing normal authentication > processes. > > This happens because the telnetd server do not sanitize the USER > environment variable before passing it on to login(1), and login(1) > uses the -f parameter to by-pass normal authentication. > > Severity: High > > Vulnerable versions: GNU InetUtils since version 1.9.3 up to and > including version 2.7. > > ## Example > > On a Trisquel GNU/Linux 11 aramo laptop: > > root@kaka:~ sudo apt-get install inetutils-telnetd telnet > root@kaka:~ sudo sed -i 's/#<off># telnet/telnet/' /etc/inetd.conf > root@kaka:~ sudo /etc/init.d/inetutils-inetd start > root@kaka:~ USER='-f root' telnet -a localhost > ... > root@kaka:~# > > ## History > > The bug was introduced in the following commit made on 2015 March 19: > > > https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c288b87139a0da8249d0a408c4dfb87 > > Based on mailing list discussions: > > https://lists.gnu.org/archive/html/bug-inetutils/2014-12/msg00012.html > https://lists.gnu.org/archive/html/bug-inetutils/2015-03/msg00001.html > > It was included in the v1.9.3 release made on 2015 May 12. > > ## Recommendation > > Do not run a telnetd server at all. Restrict network access to the > telnet port to trusted clients. > > Apply the patch or upgrade to a newer release which incorporate the > patch. > > ## Workaround > > Disable telnetd server or make the InetUtils telnetd use a custom > login(1) tool that does not permit use of the '-f' parameter. > > ## Further research > > The template for invoking login(1) is in telnetd/telnetd.c: > > ``` > /* Template command line for invoking login program. */ > char *login_invocation = > #ifdef SOLARIS10 > /* TODO: `-s telnet' or `-s ktelnet'. > * `-u' takes the Kerberos principal name > * of the authenticating, remote user. > */ > PATH_LOGIN " -p -h %h %?T{-t %T} -d %L %?u{-u %u}{%U}" > #elif defined SOLARIS > /* At least for SunOS 5.8. */ > PATH_LOGIN " -h %h %?T{%T} %?u{-- %u}{%U}" > #else /* !SOLARIS */ > PATH_LOGIN " -p -h %h %?u{-f %u}{%U}" > #endif > ; > ``` > > The variable expansion happens in telnetd/utility.c: > > ``` > /* Expand a variable referenced by its short one-symbol name. > Input: exp->cp points to the variable name. > FIXME: not implemented */ > char * > _var_short_name (struct line_expander *exp) > { > char *q; > char timebuf[64]; > time_t t; > switch (*exp->cp++) > { > case 'a': > #ifdef AUTHENTICATION > if (auth_level >= 0 && autologin == AUTH_VALID) > return xstrdup ("ok"); > #endif > return NULL; > case 'd': > time (&t); > strftime (timebuf, sizeof (timebuf), > "%l:%M%p on %A, %d %B %Y", localtime (&t)); > return xstrdup (timebuf); > case 'h': > return xstrdup (remote_hostname); > case 'l': > return xstrdup (local_hostname); > case 'L': > return xstrdup (line); > case 't': > q = strchr (line + 1, '/'); > if (q) > q++; > else > q = line; > return xstrdup (q); > case 'T': > return terminaltype ? xstrdup (terminaltype) : NULL; > case 'u': > return user_name ? xstrdup (user_name) : NULL; > case 'U': > return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup (""); > default: > exp->state = EXP_STATE_ERROR; > return NULL; > } > } > ``` > > Thus there is potential for similar vulnerabilities for other > variables. > > On non-GNU/Linux systems, only the remote hostname field is of > interest. The `remote_hostname` variable is populated in the function > `telnetd_setup` from telnetd/telnetd.c by calling getnameinfo() or > gethostbyaddr() depending on platform. This API is generally not > considered to return trusted data, thus relying on it to not return a > value such as 'foo -f root' is not advisable. > > ## Patch > > We chose to sanitize all variables for expansion. The following two > patches are what we suggest: > > > https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b > > https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc > > ## Credits > > This vulnerability was found and reported by Kyu Neushwaistein aka > Carlos Cortes Alvarez on 2026-01-19. > > Initial patch by Paul Eggert on 2026-01-20. Simon Josefsson improved > the patch to also cover similar concerns with other expansions. > > This advisory was drafted by Simon Josefsson on 2026-01-20. >
