๐ Overview: A critical vulnerability in Sudo (CVE-2025-32463) allows local users to escalate privileges via the --chroot option in versions 1.9.14 to 1.9.17.
๐ง Vulnerability Summary:
Sudo is a popular command-line program for Unix and Linux-like systems allowing allowed users to execute any command with elevated privileges. Sudo is essential in implementing the principle of least privilege and maintains a secure and auditable trail of administrator activity.
The Stratascale Cyber Research Unit (CRU) identified two local privilege escalation vulnerabilities in Sudo with one of the two CVE-2025-32463. The Sudo versions affected range from 1.9.14 through 1.9.17, and it affixes the correct configuration file for resolution. It allows unprivileged local users to gain root access by abusing the --chroot (-R) option, regardless of the user not having defined sudo rules.
๐ Exploitation:
-
Download the exploit
git clone https://github.com/pevinkumar10/CVE-2025-32463.git cd CVE-2025-32463 -
Run exploit:
python3 exploit.py
๐งช Exploit Description:
The vulnerability stems from how Sudo processes the nsswitch.conf file inside a chrooted environment. When invoked with the --chroot option, Sudo performs multiple chroot() calls which invoke pivot_root() and that call loads the nsswitch.conf from an attacker-controlled path. By placing a malicious nsswitch.conf file with a custom NSS source (e.g., passwd: /woot1337) inside the chroot directory, and providing a corresponding malicious shared object (libnss_/woot1337.so.2), an attacker can trick Sudo into loading and executing arbitrary code with root privileges.
๐งจ PoC (Proof of Concept):
๐ฅ Impact:
Any local user on a system running a vulnerable Sudo version (1.9.14 - 1.9.17) can gain root access without needing any sudoers rule. This affects default Sudo configurations.
๐ก๏ธ Mitigation:
- Upgrade to Sudo 1.9.17p1 or later
- Avoid use of the deprecated --chroot option
- Audit log files for Sudo commands using CHROOT= via syslog or journal entries
- More detail checkout here