Reminds me of the Solaris telnet 0-day from 2007
Reminds me of the Solaris telnet 0-day from 2007
Posted Jan 22, 2026 4:22 UTC (Thu) by smurf (subscriber, #17840)In reply to: Reminds me of the Solaris telnet 0-day from 2007 by edmonds42
Parent article: Remote authentication bypass in telnetd
No, but whoever introduced the problem might have remembered not to use unvetted data as arguments in the first place.
Ultimately the problem is that, inside telnetd, the output of the code that processes the template for the arguments to /bin/login is a new string which is then split … instead of a proper argv vector. The current patch includes a nice little blacklist of possible shell metacharacters (ASCII only of course, and not excluding control characters (other than tab and newline)) to paper over the problem, but I hesitate to call that a solution.
Better idea: blacklist the whole inetutils-telnetd package.