来源

关联漏洞

描述

Exploit for Local Privilege Escalation in Sudo via Malicious nsswitch.conf with sudo -R. (CVE-2025-32463) 

介绍

<h1 align="center">
  <img src="src/exploit.gif" alt="CVE-2025-32463" width="450px">
  <br>
</h1>

<div align="center">

**CVE-2025-32463 Local Privilege Escalation in Sudo via Malicious nsswitch.conf with sudo -R. Affected versions 1.9.14 – 1.9.17**

</div>

<div align="center">
  
![GitHub last commit](https://img.shields.io/github/last-commit/pevinkumar10/CVE-2025-32463) [![GitHub license](https://img.shields.io/github/license/pevinkumar10/http-prober)](https://github.com/pevinkumar10/CVE-2025-32463/blob/main/LICENSE)

</div>

## 📘 Introduction

Sudo is a widely used command-line utility on Unix-like systems that allows permitted users to execute commands with elevated privileges. It plays a critical role in enforcing the principle of least privilege and maintaining a secure audit trail of administrative activities.

The Stratascale Cyber Research Unit (CRU) discovered two local privilege escalation vulnerabilities in Sudo, one of which is CVE-2025-32463. This vulnerability affects Sudo versions 1.9.14 through 1.9.17, and allows unprivileged local users to gain root access by abusing the --chroot (-R) option, even if no sudo rules are defined for the user.

This repository provides a Python proof-of-concept (PoC) reimplementation of the original Bash exploit developed by the CRU team. It demonstrates how to achieve arbitrary code execution as root via a crafted nsswitch.conf file inside a user-controlled chroot environment.

## 🚨 Vulnerability Summary

- CVE ID: CVE-2025-32463

- Affected Software: Sudo (versions 1.9.14 – 1.9.17)

- Vulnerable Feature: --chroot (-R) option

- Impact: Local Privilege Escalation (unprivileged → root)

- Exploitation Prerequisites:

  - No sudo permissions required for the user

  - Ability to run sudo -R on vulnerable versions

  - Patched in: Sudo 1.9.17p1


## 🧪 Exploit Description

The vulnerability stems from how Sudo processes the nsswitch.conf file inside a chrooted environment. When invoked with the --chroot option, Sudo performs multiple chroot() calls which invoke pivot_root() and that call loads the nsswitch.conf from an attacker-controlled path.

By placing a malicious nsswitch.conf file with a custom NSS source (e.g., passwd: /woot1337) inside the chroot directory, and providing a corresponding malicious shared object (libnss_/woot1337.so.2), an attacker can trick Sudo into loading and executing arbitrary code with root privileges.

## ⚒️ Usage:
```bash
git clone https://github.com/pevinkumar10/CVE-2025-32463

cd CVE-2025-32463

```

```bash
pip3 install -r requirements.txt
python3 exploit.py
```
## 🐍 This Python PoC

This Python version replicates the logic of the original Bash PoC by the [Stratascale CRU team](https://www.sudo.ws/security/advisories/chroot_bug/). It creates a fake root environment, compiles a malicious NSS module, sets up the exploit conditions, and invokes sudo -R to trigger the vulnerability.

The Python reimplementation:

- Automates the entire exploitation chain

- Improves portability and readability

- Retains original exploit behavior and impact

## 💥 Impact

Any local user on a system running a vulnerable Sudo version (1.9.14 - 1.9.17) can gain root access without needing any sudoers rule. This affects default Sudo configurations.


## 🛡️ Remediation

- Upgrade to Sudo 1.9.17p1 or later

- Avoid use of the deprecated --chroot option

- Review /etc/sudoers and /etc/sudoers.d for CHROOT= or runchroot= directives

- Audit log files for Sudo commands using CHROOT= via syslog or journal entries

- More details: https://www.sudo.ws/security/advisories/chroot_bug/


## 📜 Reference & Credit

- Original Bash PoC: Stratascale Cyber Research Unit (CRU)

- Vulnerability Discovered by: Rich Mirch (CRU)

- Maintainer Acknowledgement: Todd C. Miller (Sudo Project)

- Advisory: https://www.sudo.ws/security/advisories/chroot_bug/

## ⚖️ License

This Python PoC is released under the [MIT](./LICENSE) License.
The original exploit concept and disclosure credit belong to the Stratascale Cyber Research Unit.

文件快照

 [4.0K]  /data/pocs/6f69313096e6a2b3adc1a3db4e41c7e6496af03c
├── [7.2K]  exploit.py
├── [1.0K]  LICENSE
├── [4.1K]  README.md
├── [   9]  requirements.txt
└── [4.0K]  src
    ├── [6.9M]  exploit.gif
    └── [  62]  exploit.gif.gif:Zone.Identifier

1 directory, 6 files

备注