Linux Has A New Problem…

Low Level
1 Jul 202511:46

Summary

TLDRIn this video, the speaker explores two Linux privilege escalation vulnerabilities (CVE 20256018 and CVE 6019.8) that allow attackers to gain root access without relying on memory corruption. These exploits manipulate the PAM (Pluggable Authentication Module) system and utilize set UID binaries on mounted file systems to escalate privileges. The video also introduces Flare, a cyber threat management tool. The speaker wraps up by discussing whether Rust could have prevented these vulnerabilities, concluding that they are more about system design and logic flaws rather than memory safety.

Takeaways

  • 😀 A vulnerability in OpenSUSE's PAM (Pluggable Authentication Modules) allows attackers to inject environment variables and escalate privileges.
  • 😀 CVE-2025-6018 involves manipulating PAM environment variables to falsely claim physical access to the machine, enabling certain privileges like rebooting the system.
  • 😀 The vulnerability leverages environment variables to mislead the PAM system into thinking the attacker has local access, bypassing restrictions.
  • 😀 Exploiting this vulnerability doesn't escalate the user directly to root, but it sets up the system for the next privilege escalation attack.
  • 😀 Flare, the sponsor of the video, offers a threat exposure management platform that helps individuals and companies stay ahead of cyber threats by monitoring hacker activities.
  • 😀 Set UID binaries, such as a root Bash binary, are integral to the second vulnerability. These binaries automatically gain the privileges of the user they are executed under.
  • 😀 CVE-2025-6019 takes advantage of a file system resizing issue to temporarily enable Set UID binaries, which can be used for privilege escalation.
  • 😀 The attacker uploads a malicious Set UID binary (Bash) to the target system and uses an XFS file system mount to exploit it for root privileges.
  • 😀 A key part of the attack is using a 'while loop' to prevent the XFS daemon from unmounting the filesystem, enabling the attacker to run the Set UID binary without interruption.
  • 😀 The script concludes by questioning whether Rust could have prevented these vulnerabilities. It is concluded that Rust's memory safety would not have resolved the timing and architectural issues involved in this attack.

Q & A

  • What is the core concept of the vulnerabilities discussed in the video?

    -The core concept revolves around exploiting two specific vulnerabilities in Linux systems that allow privilege escalation, using logic bugs instead of memory corruption. One vulnerability involves manipulating environment variables through the PAM (Pluggable Authentication Module) system, while the other exploits the handling of setuid binaries during filesystem resizing operations.

  • What does CVE-2025-6018 exploit in OpenSUSE?

    -CVE-2025-6018 exploits a flaw in OpenSUSE’s implementation of the PAM environment module. It involves an incorrect ordering of how the PAM environment file is read, allowing attackers to inject environment variables that manipulate the system’s authentication context and grant them elevated privileges.

  • How does the attacker use environment variables in CVE-2025-6018?

    -The attacker modifies environment variables to make the system believe they are physically sitting at the computer, thereby bypassing authentication checks that would normally prevent actions like rebooting the system.

  • What role do PAM environment variables play in this exploitation?

    -PAM environment variables are used to communicate authentication information between the system and various applications. By injecting specific variables, the attacker can manipulate the authentication process, making the system grant privileges as if the attacker were physically present.

  • What is the significance of the 'allow active' flag in the context of CVE-2025-6018?

    -The 'allow active' flag is used to indicate that a user is physically present at the machine, which is typically required for certain privileged operations. By modifying environment variables to set this flag, the attacker can bypass restrictions and execute actions like rebooting the system.

  • What does CVE-2025-6019 exploit, and how is it related to setuid binaries?

    -CVE-2025-6019 exploits a vulnerability in the way Linux handles setuid binaries, specifically during the process of resizing filesystems. Setuid binaries allow programs to run with elevated privileges, and this bug lets an attacker exploit a temporary filesystem mount to run a setuid binary with root privileges.

  • How does the attacker use a setuid binary in CVE-2025-6019?

    -The attacker creates or obtains a setuid binary (such as a bash binary running as root) and places it on the target system. They then use the filesystem resizing process to temporarily mount the binary with elevated privileges, allowing it to be executed with root access.

  • What is the purpose of the 'while loop' in the CVE-2025-6019 exploitation?

    -The while loop is used to prevent the filesystem from unmounting during the resizing operation. This ensures that the setuid binary remains accessible and executable for the attacker while the filesystem is temporarily mounted with elevated privileges.

  • What type of Linux distributions are affected by these vulnerabilities?

    -CVE-2025-6018 specifically affects OpenSUSE due to issues with its PAM implementation, while CVE-2025-6019 affects any Linux distribution that uses the libblockdev library, such as Ubuntu. It's important to patch these vulnerabilities to prevent exploitation.

  • Could Rust have prevented these vulnerabilities, according to the presenter?

    -No, Rust's memory safety features would not have prevented these types of vulnerabilities. The issues are more architectural and logic-based, rather than being related to memory corruption, so Rust's safeguards wouldn't have addressed them.

Outlines

plate

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.

قم بالترقية الآن

Mindmap

plate

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.

قم بالترقية الآن

Keywords

plate

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.

قم بالترقية الآن

Highlights

plate

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.

قم بالترقية الآن

Transcripts

plate

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.

قم بالترقية الآن

تصفح المزيد من مقاطع الفيديو ذات الصلة

MAY 2025 #PATCHTUESDAY [PLEASE DON’T CLICK THAT. EXPERTS REVIEW NEW THREATS] E19

Programma CVE sull'orlo del baratro. Perché è un ENORME problema per la sicurezza informatica.

CVE Program Overview

What is CVE? | Common Vulnerabilities and Exposures

CompTIA Security+ SY0-701 Course - 4.3 Activities Associated With Vulnerability Management. - PART B

Simple Penetration Testing Tutorial for Beginners!

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
الوسوم ذات الصلة
Linux SecurityPrivilege EscalationRoot AccessCVE ExploitsHacking DemoCybersecurityBug ChainPAM VulnerabilityXFS ExploitSetUID BinarySystem Vulnerabilities
هل تحتاج إلى تلخيص باللغة الإنجليزية؟