|
|
Log in / Subscribe / Register

Reminds me of the Solaris telnet 0-day from 2007

Reminds me of the Solaris telnet 0-day from 2007

Posted Jan 20, 2026 22:58 UTC (Tue) by edmonds42 (guest, #42670)
In reply to: Reminds me of the Solaris telnet 0-day from 2007 by dcantrell
Parent article: Remote authentication bypass in telnetd

> What we didn't get from that was that, hey, maybe all the other OSes should check their telnet code.

We wouldn't have found this particular inetutils bug if we had gone looking in 2007, though, because it wasn't introduced until 2015, alarmingly enough.

to post comments

Reminds me of the Solaris telnet 0-day from 2007

Posted Jan 20, 2026 23:57 UTC (Tue) by dcantrell (subscriber, #75800) [Link]

True, but too bad inetutils couldn't inherit Sun's fix. It's like all new telnet offerings have to start from that original implementation.

Reminds me of the Solaris telnet 0-day from 2007

Posted Jan 22, 2026 4:22 UTC (Thu) by smurf (subscriber, #17840) [Link]

No, but whoever introduced the problem might have remembered not to use unvetted data as arguments in the first place.

Ultimately the problem is that, inside telnetd, the output of the code that processes the template for the arguments to /bin/login is a new string which is then split … instead of a proper argv vector. The current patch includes a nice little blacklist of possible shell metacharacters (ASCII only of course, and not excluding control characters (other than tab and newline)) to paper over the problem, but I hesitate to call that a solution.

Better idea: blacklist the whole inetutils-telnetd package.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds