## https://sploitus.com/exploit?id=42D2AB27-0085-5020-AA75-F3E233F792A3
# Pardus Software Center β Local Privilege Escalation (CVE-2026-14459 & CVE-2026-14460)
Proof-of-concept and exploit-ready code for two local privilege escalation issues in the
`pardus-software` package (Pardus Software Center) version **1.0.4**, both fixed in **1.0.5**.
| CVE | Class | Summary | CVSS 3.1 (CERT-TR) |
|-----|-------|---------|--------------------|
| [CVE-2026-14459](https://nvd.nist.gov/vuln/detail/CVE-2026-14459) | CWE-88 β Argument Injection | A `pardus-software` group member (no sudo, no password) injects APT options (`-o Dir::Bin::dpkg=β¦`) into the privileged helper and runs arbitrary code as **root**. | 8.8 HIGH |
| [CVE-2026-14460](https://nvd.nist.gov/vuln/detail/CVE-2026-14460) | CWE-862 β Missing Authorization | The `autoaptupdateaction` PolicyKit action ships `allow_any=yes`, letting **any** local user run the update helper as root, unauthenticated (local DoS). | 8.8 HIGH |
**Affected:** `pardus-software` 1.0.4 Β· **Fixed:** `pardus-software` 1.0.5
**Vendor:** Pardus / TΓBΔ°TAK BΔ°LGEM Β· **Coordinated disclosure via the vendor and USOM (CERT-TR).**
---
## Legal / scope
This code is published for **defensive research, education, and verification of a patched,
publicly disclosed vulnerability**. Both issues are fixed in `pardus-software` 1.0.5.
Run it **only** on isolated, disposable virtual machines that you own or are explicitly
authorized to test. Do not run it against systems you do not control. You are responsible
for complying with all applicable laws. The author accepts no liability for misuse.
---
## Repository layout
```
pardus-software-lpe/
βββ README.md
βββ poc/
β βββ poc.sh # original benign PoC (proof-only; both CVEs)
βββ exploit/
βββ exploit-14459.sh # CVE-2026-14459 β interactive root shell
βββ exploit-14460.sh # CVE-2026-14460 β unauth root apt-update (DoS)
```
### Which script proves which CVE?
A single `poc.sh` covers **both** findings via subcommands:
| Subcommand | Proves | Notes |
|------------|--------|-------|
| `poc.sh B` | CVE-2026-14459 | APT option injection (`-o Dir::Bin::dpkg`) β the primary finding |
| `poc.sh A` | CVE-2026-14459 | Local unsigned `.deb` via the same trust path (secondary demonstration) |
| `poc.sh autoupdate` | CVE-2026-14460 | Unauthenticated root `apt update` |
The `poc/` version is **benign**: it only records `id` output to `/tmp/pardus_lpe_proof` and
drops a setuid-root `/tmp/rootbash` as proof. The `exploit/` versions are the weaponized,
"drop me a root shell" equivalents for demonstration on authorized targets.
`poc.sh` SHA256: `1d3f4c19affdb377ac5eee4c695619e9f6a4590350c3936678eb1db2cf601255`
---
## Setup (test victim)
The benign PoC includes a helper to create an unprivileged `victim` account in the
`pardus-software` group (no sudo), on a disposable Pardus 25 VM:
```bash
sudo ./poc/poc.sh setup-victim
sudo cp poc/poc.sh /home/victim/ && sudo chown victim /home/victim/poc.sh
```
---
## Running the benign PoC (proof-only)
```bash
# CVE-2026-14459 β option injection (primary)
sudo su - victim -c 'cd ~ && ./poc.sh B'
# if 'hello' is already installed/unavailable: ./poc.sh B sl
# CVE-2026-14459 β local unsigned .deb (secondary)
sudo su - victim -c 'cd ~ && ./poc.sh A'
# CVE-2026-14460 β unauthenticated root apt update (any user, no special group)
sudo useradd -m -s /bin/bash nobody2
sudo cp poc/poc.sh /home/nobody2/ && sudo chown nobody2 /home/nobody2/poc.sh
sudo su - nobody2 -c 'cd ~ && ./poc.sh autoupdate'
```
**Expected:** no password prompt; output shows `uid=0(root)`, `/tmp/pardus_lpe_proof` owned by
root, and `/tmp/rootbash` as `-rwsr-xr-x root root` (setuid root). For `B`, APT also prints its
own tell that the injected script ran in dpkg's place:
```
Warning: APT had planned for dpkg to do more than it reported back (0 vs 5).
Affected packages: hello:amd64
```
---
## Running the exploit-ready versions
Run these **as the target unprivileged user** (for 14459, a member of `pardus-software`).
```bash
# CVE-2026-14459 β interactive root shell
./exploit/exploit-14459.sh
# run a single command as root instead of a shell:
./exploit/exploit-14459.sh -c "id > /root/pwned"
# if 'hello' is installed/unavailable, pick an uninstalled package:
PKG=sl ./exploit/exploit-14459.sh
# CVE-2026-14460 β unauthenticated root apt-update (local DoS)
./exploit/exploit-14460.sh
# demonstrate the DoS surface with repeated invocations:
./exploit/exploit-14460.sh -n 20
```
On a patched host (`>= 1.0.5`) both scripts fail cleanly and say so.
---
## Root cause (brief)
**CVE-2026-14459.** `Actions.py`'s `install()` splits its `packages` argument on spaces and
appends the tokens straight onto the `apt` argument vector β no name validation, no `--`
option terminator. Any token that looks like an APT option is honored, including
`-o Dir::Bin::dpkg=`, which swaps the package-manager backend for an attacker script
that then runs as root. The same pattern existed in `remove/upgrade/reinstall/downgrade`.
**CVE-2026-14460.** The `autoaptupdateaction` PolicyKit action was declared with
`allow_any=yes`, authorizing any subject with no authentication. Any local user could invoke
`AutoAptUpdate.py` as root β a local DoS surface.
Full technical write-ups (EN + TR): *([https://medium.com/@dasokkk/missing-authorization-in-pardus-software-center-any-local-user-can-run-apt-update-as-root-de4756d4c1a1]
(https://medium.com/@dasokkk/local-privilege-escalation-in-pardus-software-center-via-apt-option-injection-cve-2026-14459-569ad65a2250))*
---
## Remediation
Fixed in `pardus-software` 1.0.5:
- [`a6ff277`](https://github.com/pardus/pardus-software/commit/a6ff27778bd8d2a200692e36dc1cdaa22cc0c51e) β package-name validation (`parse_packages()` regex + `--` separator) for the apt actions (CVE-2026-14459).
- [`70210af`](https://github.com/pardus/pardus-software/commit/70210afff52b1b4ab72daf38af29cb078539216f) β `allow_any: yes β auth_admin` for `autoaptupdateaction` (CVE-2026-14460).
- [1.0.4 β 1.0.5 comparison](https://github.com/pardus/pardus-software/compare/debian/1.0.4...debian/1.0.5)
**If you run Pardus, upgrade to `pardus-software` 1.0.5 or later.**
---
## References
- NVD: [CVE-2026-14459](https://nvd.nist.gov/vuln/detail/CVE-2026-14459) Β· [CVE-2026-14460](https://nvd.nist.gov/vuln/detail/CVE-2026-14460)
- USOM (CERT-TR) advisory: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0497
- Vendor fixes: [`a6ff277`](https://github.com/pardus/pardus-software/commit/a6ff27778bd8d2a200692e36dc1cdaa22cc0c51e) Β· [`70210af`](https://github.com/pardus/pardus-software/commit/70210afff52b1b4ab72daf38af29cb078539216f)
for authorized testing only
---
*Research and coordinated disclosure by Kerem Kaan DaΕmaz.*