A recent vulnerability has been discovered in the telnetd server component of the GNU InetUtils software. This vulnerability, which has been reported here, allows an attacker to connect to the server as any user, including the all-powerful root user, without the need to provide a password. As of now, the Common Vulnerabilities and Exposures (CVE) identifier for this vulnerability has not been assigned.
The vulnerability has been present since the release of InetUtils version 1.9.3 in 2015 and persists in the current release, version 2.7.0. A patch to address this vulnerability is available in the form of code modifications, accessible here and here.
The issue arises from the method used by the telnetd process to check user passwords. When a client connects to the server, the telnetd process calls the utility “/usr/bin/login” with the specified username. By leveraging the “-f” option of the “login” utility, an attacker can bypass the password authentication process and gain unauthorized access.
An additional weakness lies in the automatic connection mode of telnet, which can be activated using the “-a” option. In this mode, the username is extracted from the USER environment variable, enabling an attacker to manipulate this variable and connect as the root user without password verification:
$ USER='-f root' telnet -a server_name
In an attempt to address an issue related to autologin without Kerberos authentication, a change was made to the telnetd code in March 2015 (source). However, this change inadvertently