Linux PAM 权限提升漏洞

漏洞信息

漏洞名称: Linux PAM 权限提升漏洞

漏洞编号:

  • CVE: CVE-2025-6018

漏洞类型: 权限提升

漏洞等级: 高危

漏洞描述: CVE-2025-6018是一个影响Linux系统的本地权限提升(LPE)漏洞,主要影响openSUSE Leap 15和SUSE Linux Enterprise 15等Linux发行版。该漏洞源于PAM(可插拔认证模块)的配置不当,允许本地用户通过SSH等方式模拟物理/控制台用户,通过伪造环境变量获取allow_active权限,进而通过Polkit获得通常为GUI或登录物理用户保留的权限。

漏洞的技术细节涉及PAM模块pam_env.so读取用户控制的文件~/.pam_environment。如果该模块在PAM堆栈中位于pam_systemd.so之前(例如在/etc/pam.d/sshd中),则用户可以在系统确定会话类型之前注入环境变量。通过注入XDG_SEAT=seat0XDG_VTNR=1,用户可以欺骗系统认为他们是活动的桌面会话用户。结果,Polkit将用户视为“本地活动用户”并通过allow_active=yes授予提升的权限。

此漏洞的影响包括攻击者需要本地访问(例如有效的用户账户),无需特殊权限即可通过SSH或登录利用。一旦被利用,攻击者可以挂载驱动器、安装rootkit、禁用系统防御以及在网络内横向移动。结合CVE-2025-6019(udisks2/libblockdev中的另一个LPE漏洞),攻击者可以提升至完整的root访问权限。

缓解措施包括更新系统(SUSE等已发布补丁)、修复PAM配置(将pam_env.so移至pam_systemd.so之后或禁用user_readenv=1)、硬化Polkit策略(更改默认的allow_active操作以要求auth_admin)以及检测异常日志。此漏洞的风险评级为高,攻击者可以完全本地妥协系统。

产品厂商: Linux

产品名称: PAM (Pluggable Authentication Modules)

影响版本: openSUSE Leap 15, SUSE Linux Enterprise 15

来源: https://github.com/B1ack4sh/Blackash-CVE-2025-6018

类型: CVE-2025:github search

仓库文件

  • CVE-2025-6018.py
  • README.md

来源概述

🔒 CVE-2025-6018: Linux PAM to Root Privilege Escalation 🔒

🔍 Overview

  • CVE-2025-6018 is a local privilege escalation (LPE) vulnerability affecting openSUSE Leap 15, SUSE Linux Enterprise 15, and potentially other Linux distributions with misconfigured PAM (Pluggable Authentication Modules).
  • It allows a local user (e.g., via SSH) to impersonate a physically present/console user by spoofing environment variables. This grants allow_active privileges via Polkit, which are normally reserved for GUI or logged-in physical users.

🧠 Technical Details

  1. PAM module pam_env.so reads a user-controlled file: ~/.pam_environment.

  2. If this module is placed before pam_systemd.so in the PAM stack (e.g., /etc/pam.d/sshd), then a user can inject environment variables before the system determines the session type.

  3. By injecting:

    • XDG_SEAT=seat0
    • XDG_VTNR=1
      The user tricks the system into thinking they are an active desktop session user.

  4. As a result, Polkit treats the user as a “local active user” and grants elevated permissions via allow_active=yes.

🔗 Combined Exploit Chain with CVE-2025-6019

When combined with CVE-2025-6019 (a separate LPE in udisks2/libblockdev), an attacker can escalate to full root access:

  • Using allow_active, the attacker mounts a malicious disk image.
  • Due to insecure mount options, they can execute a SUID binary or similar payload.
  • This results in full root shell access.

⚠️ Impact

  • Attack requires local access (e.g., a valid user account).

  • No special privileges are required—just the ability to SSH or log in.

  • Once exploited, attacker can:

    • Mount drives,
    • Install rootkits,
    • Disable system defenses,
    • Move laterally within a network.

🧮 CVSS Scores

Source CVSS v3.1 Score Vector
Red Hat 7.8 (High) AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE 8.4 - 8.6 Depending on PAM config and assumptions

🛠️ Mitigation

  1. Update your system:

    • SUSE and others have released patches.
    • Update pam, pam-config, udisks2, and libblockdev.

  2. PAM configuration fix:

    • Move pam_env.so after pam_systemd.so in /etc/pam.d/sshd and similar files.
    • Or disable user_readenv=1 to prevent reading user environment files.

  3. Polkit policy hardening:

    • Change default allow_active actions (like disk mounting) to require auth_admin.
    • Modify /etc/polkit-1/rules.d/ as needed.

  4. Detection:

    • Monitor logs for:

      • Unusual Polkit permission requests.
      • Mount operations from non-admin users.
      • XDG_SEAT or XDG_VTNR environment variables in SSH sessions.

📌 Summary

Item Description
CVE CVE-2025-6018
Type Local Privilege Escalation (via PAM & Polkit)
Affected Systems openSUSE Leap 15, SUSE Linux Enterprise 15 (and others)
Combined with CVE-2025-6019 (udisks2/libblockdev bug → full root)
Privilege Gained allow_active → can become root via chained vulnerabilities
Fix Patch PAM, review pam_env order, update Polkit rules
Risk High – attacker can fully compromise the system locally

🛑 Disclaimer !!!

This information is provided for educational and defensive security purposes only.
Any attempt to exploit vulnerabilities without explicit authorization is illegal and may result in criminal charges.
Always test in controlled, legal environments such as labs or CTF platforms.
Use responsibly.

Github Poc
#CVE-2025:github search #权限提升
Linux PAM 权限提升漏洞
http://example.com/2025/07/30/github_1768845589/
作者
lianccc
发布于
2025年7月30日
许可协议