71 comments

[ 3.1 ms ] story [ 68.1 ms ] thread
The pattern points toward one or more North American Tier 1 transit providers implementing port 23 filtering
Stranger article. I wasn't able to get the main point of this article. Strangely written, but hey - I'm nob native by any means.

ps.

telnet SDF.org

just works...

I still used telnet today (had to). Unsure of the patching here. But its definitely locked down to a subset of internal use only.
> Someone upstream of a significant chunk of the internet’s transit infrastructure apparently decided telnet traffic isn’t worth carrying anymore. That’s probably the right call.

Does this impact traffic for MUDs at all? I know several MUDs operate on nonstandard Telnet ports, but many still allow connection on port 23. Does this block end-to-end Telnet traffic, or does it only block attempts to access Telnet services on the backbone relays themselves?

(comment deleted)
Why would somebody read something that somebody couldn't be bothered to write? This article is AI slop.
Personally, I found the spoof song in the middle of very dry writing to be jarring. But I didn't think it sounded AI written.
telnet isn't just for ... telnet.

  $ telnet smtp.example.co.uk 25
  HELO me
  MAIL FROM: gerdesj@example2.co.uk
  RCPT TO: gerdesj@example.co.uk
  DATA
.. or you can use SWAKS! For some odd reason telnet is becoming rare as an installed binary.
So eleven years ago someone put a backdoor in the Telnet daemon.

Who?

Where's the commit?

Why are people still using telnet across the internet in this century? Was this _all_ attack traffic?

(OK, I know one ancient talker that uses it - but on a very non-standard port so a port 23 block wouldn't be relevant)

telnet lambda.moo.mud.org 8888
How else would I connect to my BBS to play L.O.R.D. and check FidoNet.
One reason would be to play MUDs, which are very well and alive these days!
To play DOOM.

  telnet doom.w-graj.net 666
Some of us still run historical systems for preservation's sake.
When I was an intern for some reason they issued me a voip phone for my desk. One day I got bored and figured out I could telnet into it. Nothing interesting but it was still a fun moment for me!
telnet + shijack = good times
The design of telnet and ssh where you have a daemon running as root is bad security that as shown here is a liability, a ticking time bomb ready to give attackers root.
OpenSSH has been moving quite quickly in the direction of multiple, privilege separated processes, each also heavily sandboxed with pledge and unveil
This is about Telnetd. Not telnet itself.
Your cookie banner is very inconvenient and made me leave your website and not read the article
It's nice to not see C being blamed for once! ... Just good old lack of reasoning (which is most C's codebase downfall, agreeably).
Argument injection can happen in any programming language where you can concatenate strings and call something with the result.
I used to telnet into my POP3 account and check email by protocol. Shucks.
The scope of this CVE and the response to it are genuinely wild.

It's crazy to think that some dude is singlehandedly responsible for ultimately ending the telnet era in such a definitive way.

One for the history books.

What an amazing bug. I probably spent my first 10 years on the internet just using telnet. They were wild times. You could log ethernet traffic and see passwords. Towards the end of those we started to have a few more single-user machines, but the vast majority were old school many many user machines, where "root" was thought to be tightly restricted (of course, even then, in practice it wasn't if you were in the know).

Anyway, just wild seeing this:

> telnet -l 'root -f' server.test

or

> USER='-f root' telnet -a server.test

Survive 11 years.

It's hilarious, especially given that I have memories of similar rlogin vulnerabilities -- various unixes being vulnerable to rlogin -l '-froot' in the 90s.
Never used telnet to log in to something but it is a cool debugging tool, so used it for that. E.g. can this container even send traffic to that container at all.
When did we all stop using telnet? I can't even remember. Most of my first 10-15 years was using telnet. One day I used telnet to connect to a shell for the last time and didn't know it. I had a ton of servers all with root telnet access Internet facing. Never hacked once, somehow. Those were the days.
Who actually uses the tectia ssh client instead of openssh?
An RCE in GNU's telnetd has no relationship to the sunsetting of telnet. Something could equally likely happen with SSH (but not really because the OpenBSD folks are paranoid by nature).

Apple removing the telnet client from OS X was a stupid move. How can you call yourself UNIX and not have a telnet client? It's like removing grep or ed.

Between you and me telnet is not dead. Sometimes I use it to probe a port to verify it is working.
Am I the only one who feels like it isn't the responsibility of backbone ISPs to filter traffic like this? In the case of a DDoS situation I could get behind it, but in this case I feel as though it's not Cogent's problem if I want to use telnet from a device on Charter's network to a Vultr VPS, even if it may be ill-advised.

(Of course, the article only speculates that this traffic filtering is what's going on; there isn't any hard proof, but it feels plausible to me.)

So Telnet as a client is not dead though, right? A long time ago, I used to use the Telnet client to talk to SMTP servers (on port 25) and send spoofed emails to friends for fun.

With port blocking widening in scope, I’ve long believed that we would one day have every service and protocol listening on port 443. Since all other ports are being knocked off in the name of security, we’ll end up having one port that makes port based filtering useless.

I don’t remember how I did it but when I was about 12 years old I somehow managed to send SMS from Telnet to cell phones, and to the receiver they appeared to be sent by an official Telecom account - good that I was still an innocent child, had I discovered this a few years later I may have tried doing something nefarious with it.