“The telnet daemon from the Linux netkit supports a command line
option -L that lets the administrator specify a login program other
than /bin/login.”
“An unintended interaction with some other piece of code in
telnetd has the effect that the memory location holding the name is
overwritten with information obtained from the client host.”
“This bug can be abused by an attacker to bypass
authentication completely.”
Related Story:
Red Hat Security
Advisory: Denial of service attack in in.telnetd (Aug 22,
1999)