Hi Simon, On Tue, Jan 20, 2026 at 02:55:34PM +0100, Simon Josefsson via Bug reports for the GNU Internet utilities wrote: > # GNU InetUtils Security Advisory: remote authentication by-pass in telnetd > [...] > ## Example > > On a Trisquel GNU/Linux 11 aramo laptop: > > root@kaka:~ sudo apt-get install inetutils-telnetd telnet > root@kaka:~ sudo sed -i 's/#<off># telnet/telnet/' /etc/inetd.conf > root@kaka:~ sudo /etc/init.d/inetutils-inetd start > root@kaka:~ USER='-f root' telnet -a localhost > ... > root@kaka:~#
At least on Ubuntu 22.04, "login root -f" and "login -f root" give the same result. Using "USER='root -f' telnet -a localhost" should have worked as an exploit as well. Since it requires a space or tab character to separate the -f option from the user name, the patch should also catch this variant already. > [...] > ## Patch > > We chose to sanitize all variables for expansion. The following two > patches are what we suggest: > > https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b > https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc How about also prohibiting the percent sign '%'? This is used for variable substitution in the template expansion code for telnetd. This would be defensive programming, i.e., I do not know a way to usefully abuse variable substitution currently, but future changes might allow a variable to turn into whitespace, re-opening something like this vulnerability. > [...] Cheers, Erik
