Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-32463 PoC — Sudo 安全漏洞

Source
https://github.com/nflatrea/CVE-2025-32463
Associated Vulnerability
Title:Sudo 安全漏洞 (CVE-2025-32463)
Description:Sudo是一款使用于类Unix系统的,允许用户通过安全的方式使用特殊的权限执行命令的程序。 Sudo 1.9.17p1之前版本存在安全漏洞,该漏洞源于使用用户控制目录中的/etc/nsswitch.conf可能导致获取root访问权限。
Description
Sudo chroot privileged escalation PoC
Readme
# CVE-2025-32463 - Sudo Privilege Escalation PoC

/////// Disclaimer /////////////////////////////////////////////////////////////////////////////////////////////////////////////////

This project is provided solely for educational purposes.
By using any part of this repository, you acknowledge that you will not 
utilize the code or techniques contained herein to gain unauthorized access 
to systems that you do not own or have explicit permission to test. 

The author (nflatrea) assumes no responsibility or liability for any misuse, 
damage, or consequences resulting from the use of this proof-of-concept or 
related materials, and you agree to use this code at your own risk.

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

This repository provides a proof-of-concept exploit for a local privilege escalation vulnerability 
in sudo versions 1.9.1 through 1.9.17, allowing an unprivileged user to escalate to root privileges 
by abusing the --chroot (-R) feature, even without specific sudo rules.

The latter includes a single file:

`bipboop.sh` : A self-contained bash script that demonstrates the exploit. 
It creates a fake chroot environment, builds a malicious NSS module, and uses 
sudo -R to trigger the vulnerability.

### Requirements

- A Linux system with `sudo` version between 1.9.14 and 1.9.17
- `gcc` and basic build tools installed

### Vulnerability Overview

**CVE-2025-32463** allows for arbitrary shared object loading with root privileges 
due to unsafe chroot() behavior combined with Name Service Switch (NSS) 
lookups during command matching, enabling an unprivileged user to exploit 
writable and controlled directories. When sudo chroots into a directory that is writable and 
controlled by an unprivileged user, it will resolve user information using the NSS configuration 
inside the chroot. This leads to arbitrary shared object loading  with root privileges.

By planting a malicious shared object (e.g., `libnss_/bipboop.so.2`) in the fake chroot environment,
an attacker can trigger its execution with sudo, resulting in privilege escalation.

This issue was introduced in sudo version 1.9.14 and is patched in version 1.9.17p1, where the 
chroot feature was deprecated.

### Affected Versions

- `sudo` 1.9.14 to 1.9.17 (VULNERABLE)
- `sudo` 1.9.17p1 and later (PATCHED)
- Legacy versions prior to 1.9.14 (chroot feature did not exist) (NOT AFFECTED)

### Credit

`CVE-2025-32463` was discovered by Rich Mirch of the Stratascale Cyber Research Unit (CRU).

Full Disclosure : https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

The Stratascale CRU team conducted detailed analysis of the sudo chroot implementation and
identified the vulnerability as part of ongoing research into privileged Linux utilities. 
Their work included discovery, exploitation, responsible disclosure to the sudo maintainer, 
and coordination with MITRE for CVE assignment.
File Snapshot

 [4.0K]  /data/pocs/d6bdb7d2f8c13b78f75dd66e476cc07816837d88
├── [ 999]  bipboop.sh
└── [2.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.