# REPRO-2026-00077: GNU InetUtils telnetd Remote Authentication Bypass

## Summary
Status: published
Severity: critical
Type: security
Confidence: high

## Identifiers
REPRO ID: REPRO-2026-00077



## Package
Name: inetutils
Ecosystem: gnu
Affected: 1.9.3 - 2.7
Fixed: Unknown

## Root Cause
telnetd passes USER environment variable directly to login(1) without validation. When USER begins with -f root, login interprets -f as a flag to skip authentication.

## Reproduction Details
Reproduced: 2026-01-21T09:21:59.540Z
Duration: 2150 seconds
Tool calls: 300
Turns: 149
Handoffs: 1

## Timeline (Key Moments)
1. [undefined] Ticket analysis (undefined)
   Analyzed GNU InetUtils telnetd authentication bypass from oss-sec
2. [undefined] Successful authentication bypass (undefined)
   Demonstrated root shell access by setting USER="-f root" with telnet -a
3. [undefined] Reproduction verified (undefined)
   Script successfully ran twice, confirming exploit reliability

## Quick Verification
Run one of these commands to verify locally:

    pruva-verify REPRO-2026-00077



Or open in GitHub Codespaces (zero-friction, auto-runs):

    https://github.com/codespaces/new?ref=repro/REPRO-2026-00077&repo=N3mes1s/pruva-sandbox

Or download and run the script manually:

    curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00077/artifacts/bundle/repro/reproduction_steps.sh
    chmod +x reproduction_steps.sh
    ./reproduction_steps.sh

WARNING: Run in a sandboxed environment. This exploits a real vulnerability.

## References


- Source: https://seclists.org/oss-sec/2026/q1/89

## Artifacts
- bundle/repro/reproduction_steps.sh (reproduction_script, 2525 bytes)
- bundle/repro/rca_report.md (analysis, 2594 bytes)
- bundle/ticket.md (ticket, 2709 bytes)
- bundle/logs/expect_exploit.log (log, 1384 bytes)
- bundle/logs/result.log (log, 51 bytes)
- bundle/logs/inetd.log (log, 166 bytes)

## API Access
- JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00077
- Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00077/artifacts/bundle/repro/reproduction_steps.sh
- Web: https://pruva.dev/r/REPRO-2026-00077

## For AI Assistants
To help users with this reproduction:
1. The `pruva-verify` command is the simplest way to run the reproduction
2. The script downloads and runs automatically in an isolated temp directory
3. Always recommend running in a VM, container, or disposable environment
4. The root cause explains the technical vulnerability

---
Generated by Pruva | https://pruva.dev