Share
## https://sploitus.com/exploit?id=36B14171-8832-5777-8543-858E12CDCA29
<h1 align="center">
  <img src="src/exploit.gif" alt="CVE-2025-32463" width="450px">
  <br>
</h1>

<div align="center">

**CVE-2025-32463 Local Privilege Escalation in Sudo via Malicious nsswitch.conf with sudo -R. Affected versions 1.9.14 โ€“ 1.9.17**

</div>

<div align="center">
  
![GitHub last commit](https://img.shields.io/github/last-commit/pevinkumar10/CVE-2025-32463) [![GitHub license](https://img.shields.io/github/license/pevinkumar10/http-prober)](https://github.com/pevinkumar10/CVE-2025-32463/blob/main/LICENSE)

</div>

## ๐Ÿ“˜ Introduction

Sudo is a widely used command-line utility on Unix-like systems that allows permitted users to execute commands with elevated privileges. It plays a critical role in enforcing the principle of least privilege and maintaining a secure audit trail of administrative activities.

The Stratascale Cyber Research Unit (CRU) discovered two local privilege escalation vulnerabilities in Sudo, one of which is CVE-2025-32463. This vulnerability affects Sudo versions 1.9.14 through 1.9.17, and allows unprivileged local users to gain root access by abusing the --chroot (-R) option, even if no sudo rules are defined for the user.

This repository provides a Python proof-of-concept (PoC) reimplementation of the original Bash exploit developed by the CRU team. It demonstrates how to achieve arbitrary code execution as root via a crafted nsswitch.conf file inside a user-controlled chroot environment.

## ๐Ÿšจ Vulnerability Summary

- CVE ID: CVE-2025-32463

- Affected Software: Sudo (versions 1.9.14 โ€“ 1.9.17)

- Vulnerable Feature: --chroot (-R) option

- Impact: Local Privilege Escalation (unprivileged โ†’ root)

- Exploitation Prerequisites:

  - No sudo permissions required for the user

  - Ability to run sudo -R on vulnerable versions

  - Patched in: Sudo 1.9.17p1


## ๐Ÿงช Exploit Description

The vulnerability stems from how Sudo processes the nsswitch.conf file inside a chrooted environment. When invoked with the --chroot option, Sudo performs multiple chroot() calls which invoke pivot_root() and that call loads the nsswitch.conf from an attacker-controlled path.

By placing a malicious nsswitch.conf file with a custom NSS source (e.g., passwd: /woot1337) inside the chroot directory, and providing a corresponding malicious shared object (libnss_/woot1337.so.2), an attacker can trick Sudo into loading and executing arbitrary code with root privileges.

## โš’๏ธ Usage:
```bash
git clone https://github.com/pevinkumar10/CVE-2025-32463

cd CVE-2025-32463

```

```bash
python3 exploit.py
```
## ๐Ÿ This Python PoC

This Python version replicates the logic of the original Bash PoC by the [Stratascale CRU team](https://www.sudo.ws/security/advisories/chroot_bug/). It creates a fake root environment, compiles a malicious NSS module, sets up the exploit conditions, and invokes sudo -R to trigger the vulnerability.

The Python reimplementation:

- Automates the entire exploitation chain

- Improves portability and readability

- Retains original exploit behavior and impact

## ๐Ÿ’ฅ Impact

Any local user on a system running a vulnerable Sudo version (1.9.14 - 1.9.17) can gain root access without needing any sudoers rule. This affects default Sudo configurations.


## ๐Ÿ›ก๏ธ Remediation

- Upgrade to Sudo 1.9.17p1 or later

- Avoid use of the deprecated --chroot option

- Review /etc/sudoers and /etc/sudoers.d for CHROOT= or runchroot= directives

- Audit log files for Sudo commands using CHROOT= via syslog or journal entries

- More details: https://www.sudo.ws/security/advisories/chroot_bug/


## ๐Ÿ“œ Reference & Credit

- Original Bash PoC: Stratascale Cyber Research Unit (CRU)

- Vulnerability Discovered by: Rich Mirch (CRU)

- Maintainer Acknowledgement: Todd C. Miller (Sudo Project)

- Advisory: https://www.sudo.ws/security/advisories/chroot_bug/

## โš–๏ธ License

This Python PoC is released under the [MIT](./LICENSE) License.
The original exploit concept and disclosure credit belong to the Stratascale Cyber Research Unit.