4w ago

New Linux Flaws Enable Full Root Access via PAM and Udisks Across Major Distributions

thehackernews.com

Linux @sh.itjust.works

cm0002 @lemmy.world

4w ago

New Linux Flaws Enable Full Root Access via PAM and Udisks Across Major Distributions

thehackernews.com /2025/06/new-linux-flaws-enable-full-root-access.html

25 comments

It's an LPE, and doesn't allow full root access to anyone who isn't already a user.
- Are you saying LPEs aren't a security hazard?
  
  Nope. Just pointing out an alarmist headline.
By chaining legitimate services such as udisks loop-mounts and PAM/environment quirks, attackers who own any active GUI or SSH session can vault across polkit's allow_active trust zone and emerge as root in seconds.
I recognize a few of those words.
- Basically it's two vulns chained; first one gives a remote user privileges that a physically present user would get, in order to do things like put a thumbdrive in and have it mount. Then that udisks privilege can be subverted to escalate that level to root. So as long as you can start a remote session, you can pull root and it doesn't even look that hard.
  
  So how would a bad actor start a remote session on my Linux pc?
  Edited to add, downvoted for trying to learn is a new one for me.
While this is a risk, it is only a real risk if the system is already exploited for regular user access. Or if there is an untrustworthy user of the system. So for most, it is not a major concern.
Is it new or is it newly discovered?
Since it is open source... I guess we can rule out an intentional back door.
- Since it is open source… I guess we can rule out an intentional back door.
  Well, once upon a time I would have agreed with you but the xz backdoor changed my mind on that.
  
  I dunno, I'd slow your roll on that. Hanlon's razor came to notoriety in the field of computer science for a reason. I've done software dev professionally for over ten years now and you wouldn't believe the stupid shit I've seen people write. The only thing that sucks more than a computer is the human writing software for it.
  For those unfamiliar, here's Hanlon's razor:
  Never attribute to malice that which is adequately explained by stupidity.
  EDIT: After a quick look at the CVEs, this definitely sounds like a big ol' fuckup. It sounds like there might be some unsafe defaults in polkit as well?
  EDIT: Here's the report from the actual researchers which is MUCH more cogent than OP's article: https://www.openwall.com/lists/oss-security/2025/06/17/4
  It's chaining two separate oopsies together. This overview on GitHub also provides more details about the libblockdev side of things: https://github.com/advisories/GHSA-mpgj-hch9-5rvx
  Specifically, this section:
  However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.
  That really doesn't sound like something intentional to me. That sounds like a HUGE oopsy-woopsy fucky-wucky, to get technical about it.
- Newly discovered it appears.
Or ditch udisks in favour of pmount (or udevil?), which shouldn't be affected as far as I can tell. That will get you a few months' grace before a similar problem pops up there.
Can this be used to root Android phones?
If yes, it can be useful. If not, it's potentially problematic

25 comments