GNU Inetutils Telnetd Privilege Escalation Vulnerability via Systemd Service Credentials

A privilege escalation vulnerability has been identified in the Telnet daemon (telnetd) of GNU Inetutils, affecting versions through 2.7. This vulnerability arises from the introduction of systemd service credentials support in the login implementation of util-linux, starting with version 2.40. The issue allows an unprivileged local user to bypass authentication and gain unauthorized access by manipulating the CREDENTIALS_DIRECTORY environment variable. By creating a specific file in a designated directory, the user can exploit telnetd's ability to pass environment variables, leading to elevated privileges.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling a local user to gain root access by bypassing authentication mechanisms.

Reproduction

To reproduce this vulnerability, a local user must create a directory and a file named 'login.noauth' containing the string 'yes'. Once this is done, the user can initiate a Telnet session and specify the CREDENTIALS_DIRECTORY environment variable to point to the directory containing the 'login.noauth' file. This will cause the login process to skip authentication and grant access as the specified user, including root.

Remediation

Users can update to the latest version of GNU Inetutils, where this vulnerability has been addressed. Instructions for updating can be found in the GNU Inetutils documentation.