import "hash"

rule bulwark_https_bulwarkblack_com_cve_2026_24061_11_year_old_gnu_telnetd_vulnerability_grants_insta
{
    meta:
        author = "Bulwark Black LLC"
        source = "https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/"
        description = "Auto-extracted indicators. Verify before use; not a behavioral detection rule."
        generated = "2026-07-15T22:30:55Z"
        tlp = "TLP:CLEAR"
        indicator_count = "11"
    strings:
        $s0 = "codeberg.org" ascii wide nocase  // Domains
        $s1 = "lists.gnu.org" ascii wide nocase  // Domains
        $s2 = "www.cve.org" ascii wide nocase  // Domains
        $s3 = "www.cvedetails.com" ascii wide nocase  // Domains
        $s4 = "https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc" ascii wide nocase  // URLs
        $s5 = "https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b" ascii wide nocase  // URLs
        $s6 = "https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html" ascii wide nocase  // URLs
        $s7 = "https://www.cve.org/CVERecord?id=CVE-2026-24061" ascii wide nocase  // URLs
        $s8 = "https://www.cvedetails.com/cve/CVE-2026-24061/" ascii wide nocase  // URLs
    condition:
        any of ($s*) or
        hash.sha1(0, filesize) == "ccba9f748aa8d50a38d7748e2e60362edd6a32cc" or
        hash.sha1(0, filesize) == "fd702c02497b2f398e739e3119bed0b23dd7aa7b"
}
