| ▲ | pwg 2 hours ago | |
You passed '-f root' to login (a single long string). telnetd is likely passing '-f' 'root' to login (two arguments instead of one, whether this is because it creates two, or it uses the shell (which then reparses) I don't know). But '-f' is a valid option to login (man login): login [-p] [-h host] [-H] [-f username|username] ... -f Used to skip a login authentication. This option is usually used by the getty(8) autologin feature. | ||
| ▲ | munch117 2 minutes ago | parent [-] | |
I was reading https://www.offsec.com/blog/cve-2026-24061/, which implies that precisely that single long string passes through getenv("USER") in the attack. The mystery is how that single long string in telnetd becomes two separate arguments for login. execv or posix_spawn certainly won't do that. So either there's a version of /usr/bin/login that parses arguments in some very sus way, or there's a shell involved somehow. | ||