Trivial exploitation
“The telnetd server invokes /usr/bin/login (usually operating as root) passing the worth of the USER atmosphere variable acquired from the shopper because the final parameter,” Simon Josefsson, a GNU contributor who submitted the patch, stated on the OSS-SEC mailing listing. “If the shopper provides a fastidiously crafted USER atmosphere worth being the string “-f root”, and passes the telnet(1) -a or --login parameter to ship this USER atmosphere to the server, the shopper will probably be mechanically logged in as root bypassing regular authentication processes.”
In different phrases, the exploit is achieved with the straightforward command: USER=‘-f root’ telnet -a [host_ip]. This not solely works towards distant programs, however it will probably additionally function a privilege escalation exploit on the native machine if the telnet service (telnetd) is operating.
Telnet is a part of inetutils, the GNU community utilities bundle shipped with all Linux and different UNIX-based programs. Customers are suggested to deploy the patch as quickly as potential or replace to a patched model provided by their distribution. As a brief mitigation, customers are suggested to both disable the telnet service completely or filter entry to it to solely permit white-listed IP addresses.
