Exploit for Local Privilege Escalation in Sudo via Malicious nsswitch.conf with sudo -R. (CVE-2025-32463) <h1 align="center">
<img src="src/exploit.gif" alt="CVE-2025-32463" width="450px">
<br>
</h1>
<div align="center">
**CVE-2025-32463 Local Privilege Escalation in Sudo via Malicious nsswitch.conf with sudo -R. Affected versions 1.9.14 – 1.9.17**
</div>
<div align="center">
 [](https://github.com/pevinkumar10/CVE-2025-32463/blob/main/LICENSE)
</div>
## 📘 Introduction
Sudo is a widely used command-line utility on Unix-like systems that allows permitted users to execute commands with elevated privileges. It plays a critical role in enforcing the principle of least privilege and maintaining a secure audit trail of administrative activities.
The Stratascale Cyber Research Unit (CRU) discovered two local privilege escalation vulnerabilities in Sudo, one of which is CVE-2025-32463. This vulnerability affects Sudo versions 1.9.14 through 1.9.17, and allows unprivileged local users to gain root access by abusing the --chroot (-R) option, even if no sudo rules are defined for the user.
This repository provides a Python proof-of-concept (PoC) reimplementation of the original Bash exploit developed by the CRU team. It demonstrates how to achieve arbitrary code execution as root via a crafted nsswitch.conf file inside a user-controlled chroot environment.
## 🚨 Vulnerability Summary
- CVE ID: CVE-2025-32463
- Affected Software: Sudo (versions 1.9.14 – 1.9.17)
- Vulnerable Feature: --chroot (-R) option
- Impact: Local Privilege Escalation (unprivileged → root)
- Exploitation Prerequisites:
- No sudo permissions required for the user
- Ability to run sudo -R on vulnerable versions
- Patched in: Sudo 1.9.17p1
## 🧪 Exploit Description
The vulnerability stems from how Sudo processes the nsswitch.conf file inside a chrooted environment. When invoked with the --chroot option, Sudo performs multiple chroot() calls which invoke pivot_root() and that call loads the nsswitch.conf from an attacker-controlled path.
By placing a malicious nsswitch.conf file with a custom NSS source (e.g., passwd: /woot1337) inside the chroot directory, and providing a corresponding malicious shared object (libnss_/woot1337.so.2), an attacker can trick Sudo into loading and executing arbitrary code with root privileges.
## ⚒️ Usage:
```bash
git clone https://github.com/pevinkumar10/CVE-2025-32463
cd CVE-2025-32463
```
```bash
pip3 install -r requirements.txt
python3 exploit.py
```
## 🐍 This Python PoC
This Python version replicates the logic of the original Bash PoC by the [Stratascale CRU team](https://www.sudo.ws/security/advisories/chroot_bug/). It creates a fake root environment, compiles a malicious NSS module, sets up the exploit conditions, and invokes sudo -R to trigger the vulnerability.
The Python reimplementation:
- Automates the entire exploitation chain
- Improves portability and readability
- Retains original exploit behavior and impact
## 💥 Impact
Any local user on a system running a vulnerable Sudo version (1.9.14 - 1.9.17) can gain root access without needing any sudoers rule. This affects default Sudo configurations.
## 🛡️ Remediation
- Upgrade to Sudo 1.9.17p1 or later
- Avoid use of the deprecated --chroot option
- Review /etc/sudoers and /etc/sudoers.d for CHROOT= or runchroot= directives
- Audit log files for Sudo commands using CHROOT= via syslog or journal entries
- More details: https://www.sudo.ws/security/advisories/chroot_bug/
## 📜 Reference & Credit
- Original Bash PoC: Stratascale Cyber Research Unit (CRU)
- Vulnerability Discovered by: Rich Mirch (CRU)
- Maintainer Acknowledgement: Todd C. Miller (Sudo Project)
- Advisory: https://www.sudo.ws/security/advisories/chroot_bug/
## ⚖️ License
This Python PoC is released under the [MIT](./LICENSE) License.
The original exploit concept and disclosure credit belong to the Stratascale Cyber Research Unit.
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view