27-Year-Old Telnet Flaw Resurfaces to Grant Attackers Instant Root Access

A new technical analysis by security researcher Justin Swartz reveals that a critical vulnerability first identified in the late 1990s has resurfaced in modern systems, allowing remote attackers to bypass authentication and seize total “root” control of a server.

The flaw represents a potential regression of CVE-1999-0073, a legendary vulnerability that many believed had been relegated to the history books decades ago.

The vulnerability resides in telnetd, a legacy protocol still utilized in many industrial, embedded, and specialized network environments. The core of the issue involves how the telnet daemon handshakes with the system’s login process.

“The problem stems from telnetd executing /bin/login in a root-to-root context,” Swartz explains. Because of this specific execution environment, the kernel sets a flag called AT_SECURE to zero.

When this flag is zero, the system’s dynamic linker and libraries do not enter a “secure-execution mode”. As a result, Swartz notes, “the responsibility is on telnetd itself to ensure that none of those potentially interesting, and attacker controlled, variables make their way to /bin/login”.

By exploiting this lack of environment sanitization, an attacker can manipulate environmental variables to trick the system into loading a malicious shared object file.

The researcher demonstrated a “privilege escalation trick” that effectively grants the attacker the highest level of system access. “The payload effectively asserts root privilege and makes a copy of /bin/sh with SUID/SGID permissions,” Swartz detailed in the report.

The analysis confirms that “no authentication via telnetd was required, nor performed, for this privilege escalation trick to occur”.

The research highlights a failure in “blacklisting” individual variables, a strategy that has left systems vulnerable for nearly 27 years. To finally put this vulnerability to rest, Swartz suggests that telnetd must adopt a “whitelist” approach—similar to OpenSSH—where only a strict set of known-safe variables are allowed to pass through.

“I think it might make the most sense to co-ordinate a single CVE for ‘Improper environment sanitization in telnetd’ that comprehensively covers both the CREDENTIALS_DIRECTORY vector and this dynamic linker escape,” Swartz concluded.

The researcher has kept the specific payload redacted to prevent widespread abuse.