Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-32463 PoC — Sudo 安全漏洞

Source
https://github.com/ricardomaia/CVE-2025-32463
Associated Vulnerability
Title:Sudo 安全漏洞 (CVE-2025-32463)
Description:Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
Description
Enviroment and Nuclei template to test CVE-2025-32463
Readme
# CVE-2025-32463 - Setup and Execution Guide

This is the first time I’ve ported a malicious exploit into a Nuclei template for a non-intrusive vulnerability scan that still demonstrates the underlying issue.

I documented the process in more detail expressly as a learning exercise.

My main challenges were:

 - How to modify the original exploit code into something safe that can effectively test privilege escalation without obtaining a root shell as the original exploit did.
 - I ran into some issues with Nuclei template syntax when using the code engine. I’m not accustomed to creating templates this way, so I was caught a few times by the need to sign the template and include the `-itags local` parameter, since the local tag is ignored by default in [.nuclei-ignore](https://docs.projectdiscovery.io/opensource/nuclei/running#executing-nuclei-templates) settings.
- I was unsure whether compiling C code inside a template is an accepted approach (there are very few examples like that in the official repository).

It may seem weird that I chose the Windows environment for this activity. The fact is that Windows is my default operating system for reasons I won’t go into here.

## Containerized Environment Setup

```bash
docker-compose up --build -d
```

## Signing the Nuclei Template (Required for Code Engine)

This template uses `code` engine which requires signing for security reasons. The template is already signed in this repository.

### Signing keys setup (already configured)

The `docker-compose.yaml` is configured to mount your Windows Nuclei signing keys from `%APPDATA%\nuclei\keys` into the containers. This allows the signed template to be verified.

### If you need to re-sign the template on your host:

_On Windows host (requires Nuclei installed)._

```bash
nuclei -t cve-2025-32463.yaml -sign
```

This will sign the template and add a digest field.

**Note:** The first time you run this command, Nuclei will create signing keys in `%APPDATA%\nuclei\keys` and prompt for:

1. User/Organization Name
2. Passphrase for the private key

## Execute Nuclei scan inside the target container

### Vulnerable Sudo Version

**Linux/macOS/Git Bash:**

```bash
docker exec -u testuser vulnerable-sudo-target sh -c 'nuclei -itags local -t /tmp/template.yaml -target localhost -code'
```

**Windows PowerShell/CMD:**

```powershell
docker exec -u testuser vulnerable-sudo-target sh -c "nuclei -itags local -t /tmp/template.yaml -target localhost -code"
```

**Alternative (works on all platforms):**

```bash
docker exec -u testuser vulnerable-sudo-target nuclei -itags local -t /tmp/template.yaml -target localhost -code
```

**Notes:**

- The `-code` flag is required to enable code protocol-based templates
- Use `sh -c '...'` to avoid Windows path conversion issues with MSYS2/Git Bash
- The template should show: `[INF] Executing 1 signed templates from <your-username>`

### Patched Sudo Version

**Windows PowerShell/CMD:**

```powershell
docker exec -u testuser patched-sudo-target sh -c "nuclei -itags local -t /tmp/template.yaml -target localhost -code"
```

**Alternative (works on all platforms):**

```bash
docker exec -u testuser patched-sudo-target nuclei -itags local -t /tmp/template.yaml -target localhost -code
```

**Notes:**

- The `-code` flag is required to enable code protocol-based templates
- Windows Git Bash: Use double quotes `"..."` or the alternative command without `sh -c`
- The template should show: `[INF] Executing 1 signed templates from <your-username>`

## Alternative: Manual Exploit Test

If you want to verify the vulnerability without signing the Nuclei template, you can run the exploit script directly:

Copy and run the exploit script.

```bash
docker cp exploit.sh vulnerable-sudo-target:/tmp/exploit.sh
docker exec -u testuser vulnerable-sudo-target bash /tmp/exploit.sh
```

Expected output: ```woot!``` followed by a root shell (in interactive mode).

## Expected Output

### Nuclei Scan Output - Vulnerable Container

```bash
[CVE-2025-32463] [code] [critical] localhost ["VULNERABLE UID=1000 EUID=0"]

[INF] Executing 1 signed templates from <your-username>
[INF] Scan completed in 140.454595ms. 1 matches found.
```

**Detection confirmed:** `UID=1000 EUID=0` proves that code from testuser (1000) executed with root privileges (0).

### Nuclei Scan Output - Patched Container

```bash
[INF] Executing 1 signed templates from <your-username>
[INF] Scan completed in 143.319373ms. No results found.
```
**No vulnerability detected** - The patched sudo version prevents the library loading.

## See Also

For detailed technical explanation of the vulnerability, attack vectors, and detection methodology, refer to the **[Technical Notes](TECHNICAL-NOTES.md)** document.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →