来源

关联漏洞

描述

CVE-2025-32463 Proof of concept

介绍

# CVE-2025-32463 – Sudo chroot Privilege Escalation (PoC)

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-32463, a local privilege escalation vulnerability in `sudo` versions 1.9.14 through 1.9.17. The vulnerability allows a local unprivileged user to escalate privileges to `root` by abusing the `--chroot` (`-R`) feature in `sudo`, even when no specific `sudo` rules are defined for that user.

## Vulnerability Overview

CVE-2025-32463 arises from unsafe behavior in `sudo` when performing `chroot()` combined with Name Service Switch (NSS) lookups during command matching. When `sudo` chroots into a directory that is writable and controlled by an unprivileged user, it will resolve user information using the NSS configuration inside the chroot. This leads to arbitrary shared object loading with root privileges.

By planting a malicious shared object (e.g., `libnss_/malicious.so.2`) in the fake chroot environment, an attacker can trigger its execution with `sudo`, resulting in privilege escalation.

This issue was introduced in `sudo` version 1.9.14 and is patched in version 1.9.17p1, where the chroot feature was deprecated.

## Affected Versions

- Vulnerable: `sudo` 1.9.14 to 1.9.17
- Patched: `sudo` 1.9.17p1 and later
- Not affected: Legacy versions prior to `1.9.14` (chroot feature did not exist)

## PoC File Description

This repository includes a single file:

- `CVE-2025-32463-POC.sh`  
A self-contained bash script that demonstrates the exploit.
It creates a fake chroot environment, builds a malicious NSS module, and uses `sudo -R` to trigger the vulnerability.

## Requirements

- A Linux system with `sudo` version between 1.9.14 and 1.9.17
- `gcc` and basic build tools installed

## Vulnerability Discovery Credit

CVE-2025-32463 was discovered by Rich Mirch of the Stratascale Cyber Research Unit (CRU).

The Stratascale CRU team conducted detailed analysis of the `sudo` `chroot` implementation and identified the vulnerability as part of ongoing research into privileged Linux utilities. Their work included discovery, exploitation, responsible disclosure to the `sudo` maintainer, and coordination with MITRE for CVE assignment.

Special thanks to Todd Miller, the maintainer of `sudo`, for working with the researchers to triage and patch the vulnerability in version 1.9.17p1.

For the full technical breakdown of the vulnerability, see the original disclosure:

- https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot


## Disclaimer

This project is provided for **educational and research purposes only**.

By using any part of this repository, you agree that:

- You will not use this code or technique to gain unauthorized access to systems you do not own or have explicit permission to test.
- The author of this repository (K1tt3h) assumes **no responsibility or liability** for any misuse, damage, or consequences caused by this PoC or related material.

Use this code at your own risk.

文件快照

 [4.0K]  /data/pocs/5dc9a41aa019b2bd8d67773a5140e715c0a590e1
├── [ 466]  CVE-2025-32463-POC.sh
├── [1.0K]  LICENSE
└── [2.9K]  README.md

0 directories, 3 files

备注