omg please stop using telnet

I know what you're thinking. Okay, low level a Telnet video in 2026. Yes, unfortunately in the year of our lord 2026, uh there are like a lot of devices that still lean on tnet, a lot of organizations that still use TNET as its primary communication protocol. Now, obviously like Telnet, the protocol by itself is inherently vulnerable to attack, right? Because it is an unencrypted protocol, meaning that if you tnet to a box, right? somebody in the middle if they can sniff that traffic they can watch you exchange your username and password and therefore collect the password and use that for evil stuff right okay so not great from just a overall infrastructure standpoint but at the end of the day the telnet remote end the server does have authentication right so you need to know the username and password of that system to be able to get access to it and this is where the bug comes in okay nearly 800,000 TNET servers exposed to remote attacks 2026 6 24061 is a bug in the GNU inet utils version 1 193 which was released in 2015 11 years ago patched in 2.8 uh on January 20th. Okay, what is going on here is like so bonkers. I I almost wonder how no one caught it. But at the same time it's like it's a vulnerability in TNETD. So like I'm not like super shocked that no one caught it. What I'm going to do guys is show you the exploit working. show you like how simple it is to exploit this and then we're going to go through the code and talk about like what went wrong in the code and why this was such a such a big deal. And guys, one really easy way to defend yourself against attacks like this is to use today's sponsor, Trace Bit. It's no secret, guys, that hackers are out there looking for ways into your system and eventually they're probably going to get in. One easy way to build a defense barrier around yourself and be able to detect these hackers is by using canaries. And canaries are trace bits bread and butter. Hold on, what is a canary? A canary is literally just a fake credential that you deploy to your system. If they go and use that SSH key, they use that credential, you will get an alert from trace bit. What I love about trace bit is it's so easy to install. You go, you download the CLI. This downloads a very simple install script. I install trace bit Linux. It installs it. All I do now is run trace bit off to log me into the server. And now that this computer is enrolled with Tracebit, I just do trace bit deploy all. And trace bit is going to enroll me in AWS credentials and SSH keys that are all canaries. Meaning if they get used by this computer by somebody else, I will get an alert for it. And we can even test it real quick. We can do trace bit trigger. I'll get a notification for the use of this SSH key. And now I can see not only that a key was used locally. I can see on what host it was used and also the IP address that it came from. And guys, Tracebit just unlocked their community edition. You can try it for free right now. You get five AWS canaries, five SSH key canaries, and then five cookies, email, and password canaries. And if you're in an enterprise environment, you can use their enterprise solution to get a variety of additional canaries and cloud deployments and more. Guys, the best way to help the channel out is to go try the sponsors. Go give them a shot. See if you like the way Canaries feel. Build in that layer of defense with these canaries. Trace bit, thanks for sponsoring the video. Back to the video. So, as it says here, normally the Tnet D server invokes user bin loon. normally running as root because that is a set UID binary to be able to set it to the proper user. Uh and it passes the value of the user environment variable received from the client. Now the problem is if the client supplies a specially crafted user environment variable using -f root and passes that with the - a loon parameter to userbin loon, the client will automatically be logged in as root bypassing normal authentication processes like like in terms of exploit complexity, right? in terms of things that hackers want. This is it. This is not a vulnerability that allows you to overflow a buffer. This is not a vulnerability that leaks memory so you can bypass ASLR. This is a vulnerability that literally just concatenates a command that runs as root with an unsanitized flag that says hey bypass authentication and then it's like sure. And so let's talk about how easy it is to exploit. So here in my um Cali VM that I don't care about. I'm running a Docker image from a repo that I found. I'll link in the description below. Uh, so we have a uh a user. I'm just a user. I think I'm like user ID a thousand, right? Uh, and so I want to escalate to to root, right? And so locally on this box, I'm running the vulnerable TNET server. And so how do I exploit it? Well, surely I write a very specially crafted exploit that leaks memory and bypoon command to localhost and bada bing bada boom, I'm root uh ID zero. That is how simple this exploit is. Now before we go into the code here, I want to highlight this vulnerability does not just affect all versions of of of TNET, right? Thank god. If this affected every Tnet distribution or every like use of TNET around the world, that'd be a catastrophe, right? Luckily, I guess in quotes, uh, this only affects the GNU inet utils version of TNET, which means that other versions like, you know, the Cisco proprietary implementation, uh, the busy box implementation that runs on like routers and switches and weird little devices, right? That that is not affected. Uh, but if you are using Tnet, I guess still, and you're also in a GNU environment, you're vulnerable, but also like what what are you doing? Yeah. So, let's kind of go into the the patch notes here. So, this is the um the security list where I think Simon Joffson, I'm sorry if I butcher your name, man. This is a guy that found the vulnerability. Um, severity high obviously, and he goes through like literally a forerliner of how to set up your environment to run it, how to exploit it, and then boom, he gets root. And he's kind of like, heyo. And he puts the the commit where the code was introduced, right? where the vulnerable code was introduced and it's a pretty simple commit. You know, you look at these commits and you're like, how did no one see this coming? And it's like, you know, when people develop, man, you get kind of this head space put in where you're very tunnel focused on solving a problem. And once you've figured out a solution to the problem, it's very hard to kind of like unwrap that mental state. So, this kind of happens. But basically, at the time, TelnetD in 2015, auto loon did not exist for legacy note mode uh of TNETD, right? So what this commit does is it takes the login path within telnet and it appends the user variable which comes from the the user environment variable that's passed over the network. Right? So instead of doing the the regular loon path if you want to try to do an auto loon using the automatic loon function it just throws a user in front. The problem is the user field in front comes over the network and is just a get m and the get m comes from the tnet exchange right because the tnet exchange accepts some environment variables and it also accepts one of them being like the user right and that makes sense but the problem is now if you accept an arbitrary user and you're concatenating it to commands that are running as root one of the things that bin loon does accept as a flag is the -f flag you can see that here if you do user bin login-help so if you look Actually, let's do ls- a user bin login. Right? This is a uh a binary that's ran as root. You're supposed to run this as root. And then when you get what login will do is go and parse the uh Etsy password field, right? And it'll go or the password file in the shadow file, it'll prompt you for the password that you want to use. And if you match the hash and the salt and everything of the shadow file, it'll drop you down to the level of that user, right? Makes sense. However, you will see in the help file for user bin loon, if you throw in a -f, you will be allowed to skip authentication. So by doing -f root on this you can do oh by the way I am root and if you wouldn't mind please just uh skip the authentication process right now you may be wondering why is there a - f flag in user bin lo on right if I do user bin login uh if I do help I can see that there's you know skip authentication here why why does that exist there are some scenarios where like you may already be pre-authenticated and so it's on like the logic of the implementer to make sure that that flag only gets specified to the right places and obviously I misspoke by the way right so userbin login is not a a set UID binary. That would be crazy because if it was, you'd be able to run the program as root, tell it to skip authentication, and then use a username to login in, right? So, like obviously, uh this is not a set UID binary. I want to make sure I I highlight that there. So, what's happening here, guys, literally is pretty simple. They just concatenate the user field to the front, which all of this gets passed into userbin login, and you know, not great. Also, props to a security researcher. Dude, I'm going to mess your name up. I'm so sorry. A Q Nissen, I'm I'm really sorry if I mess that up. uh also known as Carlos. So, hey Carlos, I'd like to find the bugs. You reported it on the 19th and it got patched by the 20th. So, that's really cool. Now, obviously, guys, a bug as simple as this, we've already seen um exploitation attempts. Grey Noise is like a threat intelligence company. Um and they've already seen basically since like the time of release, right? Actually, this is in the last couple days. Let's see here. Last 10 days. I have to pay for that. Okay, that's fine. Even in the last 24 hours, they've seen, you know, multiple attempts basically per hour just of trying to exploit this bug. So, pretty crazy. It makes sense, right? This is like the the hacker's dream. All you have to do is throw -f into a user environment variable for TNET and then bada bing bada boom, you don't need the password anymore. I do want to highlight kind of an interesting thing about like the intrusion detection side of this. Like obviously tnet is bad because it's it's not encrypted, right? Like you can watch all of the traffic occur. That's bad from like an attacking standpoint because you can get your password stolen. But also from a defense standpoint, it's kind of cool because like an organization like Grey Noise where I'm assuming they have places where they can like slurp up traffic off the internet. They can use that traffic to just look in plain text at the traffic from TNET and be like, "Oh, people are actively using this user equals- flag, but they can use other environment variables that are sent in that Tnet session to like infer is the user human, is a user automated to see like what organizations and at what speed are they trying to exploit this?" Kind of like an interesting uh I guess side effect of the plain textness of Telnet. You can also see very clearly what actors are using it. It's kind of cool. Now, I know what you're thinking. Would Rust have fixed it? No, not at all, guys. This has nothing. This has nothing to do with memory safety. This has nothing to do with the soundness of a language. Um, this is a failure to sanitize user inputs and then you concatenate it to a command that, you know, has weird features, right? And so, you can just enable one of the weird features on accident. So, yeah, I mean, it's just it's literally the world's simplest bug. I'm I'm shocked that it went hidden for 10 years, but at the same time, I think, you know, nobody is auditing Tnet D because the assumption is no one uses TNETD aside from the, you know, 800,000 TNET servers that are noted here in this article. So, not great. Anyway, guys, if you like this video, do hit that like button, hit subscribe, and then you can hear my email sounds, and then go check out this other video that I think you will enjoy just as much. We'll see you there. Take care. Goodbye.

Protect yourself with canaries for FREE at https://go.lowlevel.tv/tracebit 🏫 MY COURSES Sign-up for my FREE 3-Day C Course: https://lowlevel.academy 🧙‍♂️ HACK YOUR CAREER Wanna learn to hack? Join my new CTF platform: https://stacksmash.io 🔥COME HANG OUT Check out my other stuff: https://lowlevel.tv