Christian Pietsch @chpietsch@fedifreu.de
Public

Telnet is a remote login protocol that became obsolete in 1995 when SSH became available because SSH offers transport encryption while telnet does not.

Those who kept a telnetd running for whatever reason (and did not hide it behind a firewall) have had a root backdoor for the last ten years.

GNU InetUtils Security Advisory: remote authentication by-pass in telnet

The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter.

If the client supply a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes.

This happens because the telnetd server do not sanitize the USER environment variable before passing it on to login(1), and login(1) uses the -f parameter to by-pass normal authentication.

Severity: High

Vulnerable versions: GNU InetUtils since version 1.9.3 up to and including version 2.7.

History

The bug was introduced in the following commit made on 2015 March 19 […]

Recommendation

Do not run a telnetd server at all. Restrict network access to the telnet port to trusted clients.

Source (including exploit code not reproduced here): lists.gnu.org/archive/html/bug

GNU InetUtils Security Advisory: remote authentication by-pass in telnet

lists.gnu.org

0
0
0

If you have a fediverse account, you can quote this note from your own instance. Search https://fedifreu.de/users/chpietsch/statuses/115940723914540870 on your instance and quote it. (Note that quoting is not supported in Mastodon.)