Thanks Bro !!!!! El mié., 21 de enero de 2026 1:36 a. m., Simon Josefsson < [email protected]> escribió:
> Indeed - I award you with our highest honor of being mentioned in the > THANKS file: > > > https://codeberg.org/inetutils/inetutils/commit/ee5ef4e38eb3cf5b9699453c0bed7a335cd1e3c7 > > Many thanks for finding and reporting this problem! > > /Simon > > Kyu Neushwaistein <[email protected]> writes: > > > Hi, I was wondering if it would be too much to ask. Couldn't I get a > > certificate, lol? To keep in my room? Like the first vulnerability I > > discovered in GNU/Linux. Sorry for the trouble, and thanks. Lol > > > > El mar., 20 de enero de 2026 7:55 a. m., Simon Josefsson < > > [email protected]> escribió: > > > >> # GNU InetUtils Security Advisory: remote authentication by-pass in > telnetd > >> > >> The telnetd server invokes /usr/bin/login (normally running as root) > >> passing the value of the USER environment variable received from the > >> client as the last parameter. > >> > >> If the client supply a carefully crafted USER environment value being > >> the string "-f root", and passes the telnet(1) -a or --login parameter > >> to send this USER environment to the server, the client will be > >> automatically logged in as root bypassing normal authentication > >> processes. > >> > >> This happens because the telnetd server do not sanitize the USER > >> environment variable before passing it on to login(1), and login(1) > >> uses the -f parameter to by-pass normal authentication. > >> > >> Severity: High > >> > >> Vulnerable versions: GNU InetUtils since version 1.9.3 up to and > >> including version 2.7. > >> > >> ## Example > >> > >> On a Trisquel GNU/Linux 11 aramo laptop: > >> > >> root@kaka:~ sudo apt-get install inetutils-telnetd telnet > >> root@kaka:~ sudo sed -i 's/#<off># telnet/telnet/' /etc/inetd.conf > >> root@kaka:~ sudo /etc/init.d/inetutils-inetd start > >> root@kaka:~ USER='-f root' telnet -a localhost > >> ... > >> root@kaka:~# > >> > >> ## History > >> > >> The bug was introduced in the following commit made on 2015 March 19: > >> > >> > >> > https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c288b87139a0da8249d0a408c4dfb87 > >> > >> Based on mailing list discussions: > >> > >> https://lists.gnu.org/archive/html/bug-inetutils/2014-12/msg00012.html > >> https://lists.gnu.org/archive/html/bug-inetutils/2015-03/msg00001.html > >> > >> It was included in the v1.9.3 release made on 2015 May 12. > >> > >> ## Recommendation > >> > >> Do not run a telnetd server at all. Restrict network access to the > >> telnet port to trusted clients. > >> > >> Apply the patch or upgrade to a newer release which incorporate the > >> patch. > >> > >> ## Workaround > >> > >> Disable telnetd server or make the InetUtils telnetd use a custom > >> login(1) tool that does not permit use of the '-f' parameter. > >> > >> ## Further research > >> > >> The template for invoking login(1) is in telnetd/telnetd.c: > >> > >> ``` > >> /* Template command line for invoking login program. */ > >> char *login_invocation = > >> #ifdef SOLARIS10 > >> /* TODO: `-s telnet' or `-s ktelnet'. > >> * `-u' takes the Kerberos principal name > >> * of the authenticating, remote user. > >> */ > >> PATH_LOGIN " -p -h %h %?T{-t %T} -d %L %?u{-u %u}{%U}" > >> #elif defined SOLARIS > >> /* At least for SunOS 5.8. */ > >> PATH_LOGIN " -h %h %?T{%T} %?u{-- %u}{%U}" > >> #else /* !SOLARIS */ > >> PATH_LOGIN " -p -h %h %?u{-f %u}{%U}" > >> #endif > >> ; > >> ``` > >> > >> The variable expansion happens in telnetd/utility.c: > >> > >> ``` > >> /* Expand a variable referenced by its short one-symbol name. > >> Input: exp->cp points to the variable name. > >> FIXME: not implemented */ > >> char * > >> _var_short_name (struct line_expander *exp) > >> { > >> char *q; > >> char timebuf[64]; > >> time_t t; > >> switch (*exp->cp++) > >> { > >> case 'a': > >> #ifdef AUTHENTICATION > >> if (auth_level >= 0 && autologin == AUTH_VALID) > >> return xstrdup ("ok"); > >> #endif > >> return NULL; > >> case 'd': > >> time (&t); > >> strftime (timebuf, sizeof (timebuf), > >> "%l:%M%p on %A, %d %B %Y", localtime (&t)); > >> return xstrdup (timebuf); > >> case 'h': > >> return xstrdup (remote_hostname); > >> case 'l': > >> return xstrdup (local_hostname); > >> case 'L': > >> return xstrdup (line); > >> case 't': > >> q = strchr (line + 1, '/'); > >> if (q) > >> q++; > >> else > >> q = line; > >> return xstrdup (q); > >> case 'T': > >> return terminaltype ? xstrdup (terminaltype) : NULL; > >> case 'u': > >> return user_name ? xstrdup (user_name) : NULL; > >> case 'U': > >> return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup (""); > >> default: > >> exp->state = EXP_STATE_ERROR; > >> return NULL; > >> } > >> } > >> ``` > >> > >> Thus there is potential for similar vulnerabilities for other > >> variables. > >> > >> On non-GNU/Linux systems, only the remote hostname field is of > >> interest. The `remote_hostname` variable is populated in the function > >> `telnetd_setup` from telnetd/telnetd.c by calling getnameinfo() or > >> gethostbyaddr() depending on platform. This API is generally not > >> considered to return trusted data, thus relying on it to not return a > >> value such as 'foo -f root' is not advisable. > >> > >> ## Patch > >> > >> We chose to sanitize all variables for expansion. The following two > >> patches are what we suggest: > >> > >> > >> > https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b > >> > >> > https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc > >> > >> ## Credits > >> > >> This vulnerability was found and reported by Kyu Neushwaistein aka > >> Carlos Cortes Alvarez on 2026-01-19. > >> > >> Initial patch by Paul Eggert on 2026-01-20. Simon Josefsson improved > >> the patch to also cover similar concerns with other expansions. > >> > >> This advisory was drafted by Simon Josefsson on 2026-01-20. > >> >
