{"repro_id":"REPRO-2026-00077","version":6,"title":"GNU InetUtils telnetd Remote Authentication Bypass","repro_type":"security","status":"published","severity":"critical","description":"GNU InetUtils telnetd versions 1.9.3 through 2.7 accept the USER environment variable from telnet clients and pass it directly to login(1) without sanitization.","root_cause":"telnetd passes USER environment variable directly to login(1) without validation. When USER begins with -f root, login interprets -f as a flag to skip authentication.","source_url":"https://seclists.org/oss-sec/2026/q1/89","package":{"name":"inetutils","ecosystem":"gnu","affected_versions":"1.9.3 - 2.7"},"reproduced_at":"2026-01-21T09:21:59.540857+00:00","duration_secs":2150.0,"tool_calls":300,"turns":149,"handoffs":1,"quality":{"confidence":"high","idempotent_verified":true,"community_verifications":0},"evidence":[{"content":"spawn /tmp/inetutils-2.7/telnet/telnet -a 127.0.0.1 2323\nroot@runsc:~# id\nuid=0(root) gid=0(root) groups=0(root)","description":"Telnet exploit obtained root access by setting USER=\"-f root\"","title":"Root shell obtained via USER injection","type":"log_excerpt"},{"content":"VULNERABLE: obtained root shell via USER='-f root'","description":"Script confirmed vulnerability","title":"Reproduction verdict","type":"command_output"}],"key_moments":[{"description":"Analyzed GNU InetUtils telnetd authentication bypass from oss-sec","event_type":"analysis_start","timestamp":"2026-01-21T08:45:00Z","title":"Ticket analysis"},{"description":"Demonstrated root shell access by setting USER=\"-f root\" with telnet -a","event_type":"exploit_attempt","timestamp":"2026-01-21T09:06:00Z","title":"Successful authentication bypass"},{"description":"Script successfully ran twice, confirming exploit reliability","event_type":"verification_complete","timestamp":"2026-01-21T09:17:00Z","title":"Reproduction verified"}],"published_at":"2026-01-21T09:47:30.167062+00:00","retracted":false,"artifacts":[{"path":"bundle/repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":2525,"category":"reproduction_script"},{"path":"bundle/repro/rca_report.md","filename":"rca_report.md","size":2594,"category":"analysis"},{"path":"bundle/ticket.md","filename":"ticket.md","size":2709,"category":"ticket"},{"path":"bundle/logs/expect_exploit.log","filename":"expect_exploit.log","size":1384,"category":"log"},{"path":"bundle/logs/result.log","filename":"result.log","size":51,"category":"log"},{"path":"bundle/logs/inetd.log","filename":"inetd.log","size":166,"category":"log"}]}