## https://sploitus.com/exploit?id=4C9215D8-2012-57BD-8755-A97A41BA7038
# ๐ CVE-2025-6018: Linux PAM to Root Privilege Escalation ๐
---
### ๐ Overview
* **CVE-2025-6018** is a **local privilege escalation (LPE)** vulnerability affecting **openSUSE Leap 15**, **SUSE Linux Enterprise 15**, and potentially other Linux distributions with misconfigured **PAM** (Pluggable Authentication Modules).
* It allows a local user (e.g., via SSH) to **impersonate a physically present/console user** by spoofing environment variables. This grants **`allow_active` privileges** via **Polkit**, which are normally reserved for GUI or logged-in physical users.
---
### ๐ง Technical Details
1. **PAM module `pam_env.so`** reads a user-controlled file: `~/.pam_environment`.
2. If this module is placed **before** `pam_systemd.so` in the PAM stack (e.g., `/etc/pam.d/sshd`), then a user can inject environment variables **before** the system determines the session type.
3. By injecting:
* `XDG_SEAT=seat0`
* `XDG_VTNR=1`
The user tricks the system into thinking they are an active desktop session user.
4. As a result, **Polkit** treats the user as a **"local active user"** and grants elevated permissions via `allow_active=yes`.
---
### ๐ Combined Exploit Chain with CVE-2025-6019
When combined with **CVE-2025-6019** (a separate LPE in **udisks2/libblockdev**), an attacker can escalate to **full root access**:
* Using `allow_active`, the attacker mounts a malicious disk image.
* Due to insecure mount options, they can execute a **SUID binary** or similar payload.
* This results in full root shell access.
---
### โ ๏ธ Impact
* **Attack requires local access** (e.g., a valid user account).
* No special privileges are requiredโjust the ability to SSH or log in.
* Once exploited, attacker can:
* Mount drives,
* Install rootkits,
* Disable system defenses,
* Move laterally within a network.
---
### ๐งฎ CVSS Scores
| Source | CVSS v3.1 Score | Vector |
| ------- | --------------- | ------------------------------------------- |
| Red Hat | 7.8 (High) | AV\:L/AC\:L/PR\:L/UI\:N/S\:U/C\:H/I\:H/A\:H |
| SUSE | 8.4 - 8.6 | Depending on PAM config and assumptions |
---
### ๐ ๏ธ Mitigation
1. **Update your system**:
* SUSE and others have released patches.
* Update `pam`, `pam-config`, `udisks2`, and `libblockdev`.
2. **PAM configuration fix**:
* Move `pam_env.so` **after** `pam_systemd.so` in `/etc/pam.d/sshd` and similar files.
* Or **disable** `user_readenv=1` to prevent reading user environment files.
3. **Polkit policy hardening**:
* Change default `allow_active` actions (like disk mounting) to require `auth_admin`.
* Modify `/etc/polkit-1/rules.d/` as needed.
4. **Detection**:
* Monitor logs for:
* Unusual Polkit permission requests.
* Mount operations from non-admin users.
* XDG\_SEAT or XDG\_VTNR environment variables in SSH sessions.
---
### ๐ Summary
| Item | Description |
| ---------------- | ------------------------------------------------------------ |
| CVE | CVE-2025-6018 |
| Type | Local Privilege Escalation (via PAM & Polkit) |
| Affected Systems | openSUSE Leap 15, SUSE Linux Enterprise 15 (and others) |
| Combined with | CVE-2025-6019 (udisks2/libblockdev bug โ full root) |
| Privilege Gained | `allow_active` โ can become root via chained vulnerabilities |
| Fix | Patch PAM, review pam\_env order, update Polkit rules |
| Risk | High โ attacker can fully compromise the system locally |
---
### ๐ Disclaimer !!!
This information is provided for **educational and defensive security purposes only**.
Any attempt to exploit vulnerabilities without **explicit authorization** is **illegal** and may result in **criminal charges**.
Always test in **controlled, legal environments** such as labs or CTF platforms.
Use responsibly.