Remote authentication bypass in telnetd
Date:
Tue, 20 Jan 2026 20:45:46 +0000
Description:
One would assume that most LWN readers stopped running network-accessible telnet services some number of decades ago. For the rest of you, this security advisory from
Simon Josefsson is worthy of note: The telnetd server invokes /usr/bin/login (normally running as
root) passing the value of the USER environment variable received
from the client as the last parameter. If the client supplies a carefully crafted USER environment value
being the string "-f root", and passes the telnet(1) -a or --login
parameter to send this USER environment to the server, the client
will be automatically logged in as root bypassing normal
authentication processes.
======================================================================
Link to news story:
https://lwn.net/Articles/1055213/
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)