Trivial exploitation
“The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter,” Simon Josefsson, a GNU contributor who submitted the patch, said on the OSS-SEC mailing list. “If the client supplies a carefully crafted USER environment value being the string “-f root”, and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes.”
In other words, the exploit is achieved with the simple command: USER=‘-f root’ telnet -a [host_ip]. This not only works against remote systems, but it can also serve as a privilege escalation exploit on the local machine if the telnet service (telnetd) is running.
Telnet is part of inetutils, the GNU network utilities package shipped with all Linux and other UNIX-based systems. Users are advised to deploy the patch as soon as possible or update to a patched version offered by their distribution. As a temporary mitigation, users are advised to either disable the telnet service entirely or filter access to it to only allow white-listed IP addresses.
