来源

关联漏洞

描述

Sudo chroot privileged escalation PoC

介绍

# CVE-2025-32463 - Sudo Privilege Escalation PoC

/////// Disclaimer /////////////////////////////////////////////////////////////////////////////////////////////////////////////////

This project is provided solely for educational purposes.
By using any part of this repository, you acknowledge that you will not 
utilize the code or techniques contained herein to gain unauthorized access 
to systems that you do not own or have explicit permission to test. 

The author (nflatrea) assumes no responsibility or liability for any misuse, 
damage, or consequences resulting from the use of this proof-of-concept or 
related materials, and you agree to use this code at your own risk.

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

This repository provides a proof-of-concept exploit for a local privilege escalation vulnerability 
in sudo versions 1.9.1 through 1.9.17, allowing an unprivileged user to escalate to root privileges 
by abusing the --chroot (-R) feature, even without specific sudo rules.

The latter includes a single file:

`bipboop.sh` : A self-contained bash script that demonstrates the exploit. 
It creates a fake chroot environment, builds a malicious NSS module, and uses 
sudo -R to trigger the vulnerability.

### Requirements

- A Linux system with `sudo` version between 1.9.14 and 1.9.17
- `gcc` and basic build tools installed

### Vulnerability Overview

**CVE-2025-32463** allows for arbitrary shared object loading with root privileges 
due to unsafe chroot() behavior combined with Name Service Switch (NSS) 
lookups during command matching, enabling an unprivileged user to exploit 
writable and controlled directories. When sudo chroots into a directory that is writable and 
controlled by an unprivileged user, it will resolve user information using the NSS configuration 
inside the chroot. This leads to arbitrary shared object loading  with root privileges.

By planting a malicious shared object (e.g., `libnss_/bipboop.so.2`) in the fake chroot environment,
an attacker can trigger its execution with sudo, resulting in privilege escalation.

This issue was introduced in sudo version 1.9.14 and is patched in version 1.9.17p1, where the 
chroot feature was deprecated.

### Affected Versions

- `sudo` 1.9.14 to 1.9.17 (VULNERABLE)
- `sudo` 1.9.17p1 and later (PATCHED)
- Legacy versions prior to 1.9.14 (chroot feature did not exist) (NOT AFFECTED)

### Credit

`CVE-2025-32463` was discovered by Rich Mirch of the Stratascale Cyber Research Unit (CRU).

Full Disclosure : https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

The Stratascale CRU team conducted detailed analysis of the sudo chroot implementation and
identified the vulnerability as part of ongoing research into privileged Linux utilities. 
Their work included discovery, exploitation, responsible disclosure to the sudo maintainer, 
and coordination with MITRE for CVE assignment.

文件快照

 [4.0K]  /data/pocs/d6bdb7d2f8c13b78f75dd66e476cc07816837d88
├── [ 999]  bipboop.sh
└── [2.9K]  README.md

0 directories, 2 files

备注