关联漏洞
描述
CVE-2025-6018
介绍
# 🔒 CVE-2025-6018: Linux PAM to Root Privilege Escalation 🔒
---
### 🔍 Overview
* **CVE-2025-6018** is a **local privilege escalation (LPE)** vulnerability affecting **openSUSE Leap 15**, **SUSE Linux Enterprise 15**, and potentially other Linux distributions with misconfigured **PAM** (Pluggable Authentication Modules).
* It allows a local user (e.g., via SSH) to **impersonate a physically present/console user** by spoofing environment variables. This grants **`allow_active` privileges** via **Polkit**, which are normally reserved for GUI or logged-in physical users.
---
### 🧠 Technical Details
1. **PAM module `pam_env.so`** reads a user-controlled file: `~/.pam_environment`.
2. If this module is placed **before** `pam_systemd.so` in the PAM stack (e.g., `/etc/pam.d/sshd`), then a user can inject environment variables **before** the system determines the session type.
3. By injecting:
* `XDG_SEAT=seat0`
* `XDG_VTNR=1`
The user tricks the system into thinking they are an active desktop session user.
4. As a result, **Polkit** treats the user as a **"local active user"** and grants elevated permissions via `allow_active=yes`.
---
### 🔗 Combined Exploit Chain with CVE-2025-6019
When combined with **CVE-2025-6019** (a separate LPE in **udisks2/libblockdev**), an attacker can escalate to **full root access**:
* Using `allow_active`, the attacker mounts a malicious disk image.
* Due to insecure mount options, they can execute a **SUID binary** or similar payload.
* This results in full root shell access.
---
### ⚠️ Impact
* **Attack requires local access** (e.g., a valid user account).
* No special privileges are required—just the ability to SSH or log in.
* Once exploited, attacker can:
* Mount drives,
* Install rootkits,
* Disable system defenses,
* Move laterally within a network.
---
### 🧮 CVSS Scores
| Source | CVSS v3.1 Score | Vector |
| ------- | --------------- | ------------------------------------------- |
| Red Hat | 7.8 (High) | AV\:L/AC\:L/PR\:L/UI\:N/S\:U/C\:H/I\:H/A\:H |
| SUSE | 8.4 - 8.6 | Depending on PAM config and assumptions |
---
### 🛠️ Mitigation
1. **Update your system**:
* SUSE and others have released patches.
* Update `pam`, `pam-config`, `udisks2`, and `libblockdev`.
2. **PAM configuration fix**:
* Move `pam_env.so` **after** `pam_systemd.so` in `/etc/pam.d/sshd` and similar files.
* Or **disable** `user_readenv=1` to prevent reading user environment files.
3. **Polkit policy hardening**:
* Change default `allow_active` actions (like disk mounting) to require `auth_admin`.
* Modify `/etc/polkit-1/rules.d/` as needed.
4. **Detection**:
* Monitor logs for:
* Unusual Polkit permission requests.
* Mount operations from non-admin users.
* XDG\_SEAT or XDG\_VTNR environment variables in SSH sessions.
---
### 📌 Summary
| Item | Description |
| ---------------- | ------------------------------------------------------------ |
| CVE | CVE-2025-6018 |
| Type | Local Privilege Escalation (via PAM & Polkit) |
| Affected Systems | openSUSE Leap 15, SUSE Linux Enterprise 15 (and others) |
| Combined with | CVE-2025-6019 (udisks2/libblockdev bug → full root) |
| Privilege Gained | `allow_active` → can become root via chained vulnerabilities |
| Fix | Patch PAM, review pam\_env order, update Polkit rules |
| Risk | High – attacker can fully compromise the system locally |
---
### 🛑 Disclaimer !!!
This information is provided for **educational and defensive security purposes only**.
Any attempt to exploit vulnerabilities without **explicit authorization** is **illegal** and may result in **criminal charges**.
Always test in **controlled, legal environments** such as labs or CTF platforms.
Use responsibly.
文件快照
[4.0K] /data/pocs/2995a61cec6c2442f99dd20f6fceb760d8cd289f
├── [ 11K] CVE-2025-6018.py
└── [4.0K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。