The flaw is in the way that the telnetd server handles some specific user-supplied data. An attacker who exploits this vulnerability would be able to bypass the authentication path and gain root privileges.
A trivially exploitable authentication bypass vulnerability in the GNU InetUtils networking utilities package that has been present for more than 10 years has now been patched after a researcher discovered and disclosed it on Jan. 19.
The flaw is in the way that the telnetd server handles some specific user-supplied data. An attacker who exploits this vulnerability would be able to bypass the authentication path and gain root privileges.
“The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter. If the client supply a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes,” the advisory says.
“This happens because the telnetd server do not sanitize the USER environment variable before passing it on to login(1), and login(1) uses the -f parameter to by-pass normal authentication.”
The vulnerability affects versions 1.9.3 through version 2.7, and the maintainers have released new versions of InetUtils that fix the issue. The bug was introduced in a commit in March 2015. A workaround for this flaw is to disable the telnetd server.
“On non-GNU/Linux systems, only the remote hostname field is of interest. The `remote_hostname` variable is populated in the function `telnetd_setup` from telnetd/telnetd.c by calling getnameinfo() or gethostbyaddr() depending on platform. This API is generally not
considered to return trusted data, thus relying on it to not return a value such as 'foo -f root' is not advisable,” the advisory says.
There is no CVE assigned to this vulnerability yet.
