Sudo chroot privileged escalation PoC# CVE-2025-32463 - Sudo Privilege Escalation PoC
/////// Disclaimer /////////////////////////////////////////////////////////////////////////////////////////////////////////////////
This project is provided solely for educational purposes.
By using any part of this repository, you acknowledge that you will not
utilize the code or techniques contained herein to gain unauthorized access
to systems that you do not own or have explicit permission to test.
The author (nflatrea) assumes no responsibility or liability for any misuse,
damage, or consequences resulting from the use of this proof-of-concept or
related materials, and you agree to use this code at your own risk.
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
This repository provides a proof-of-concept exploit for a local privilege escalation vulnerability
in sudo versions 1.9.1 through 1.9.17, allowing an unprivileged user to escalate to root privileges
by abusing the --chroot (-R) feature, even without specific sudo rules.
The latter includes a single file:
`bipboop.sh` : A self-contained bash script that demonstrates the exploit.
It creates a fake chroot environment, builds a malicious NSS module, and uses
sudo -R to trigger the vulnerability.
### Requirements
- A Linux system with `sudo` version between 1.9.14 and 1.9.17
- `gcc` and basic build tools installed
### Vulnerability Overview
**CVE-2025-32463** allows for arbitrary shared object loading with root privileges
due to unsafe chroot() behavior combined with Name Service Switch (NSS)
lookups during command matching, enabling an unprivileged user to exploit
writable and controlled directories. When sudo chroots into a directory that is writable and
controlled by an unprivileged user, it will resolve user information using the NSS configuration
inside the chroot. This leads to arbitrary shared object loading with root privileges.
By planting a malicious shared object (e.g., `libnss_/bipboop.so.2`) in the fake chroot environment,
an attacker can trigger its execution with sudo, resulting in privilege escalation.
This issue was introduced in sudo version 1.9.14 and is patched in version 1.9.17p1, where the
chroot feature was deprecated.
### Affected Versions
- `sudo` 1.9.14 to 1.9.17 (VULNERABLE)
- `sudo` 1.9.17p1 and later (PATCHED)
- Legacy versions prior to 1.9.14 (chroot feature did not exist) (NOT AFFECTED)
### Credit
`CVE-2025-32463` was discovered by Rich Mirch of the Stratascale Cyber Research Unit (CRU).
Full Disclosure : https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
The Stratascale CRU team conducted detailed analysis of the sudo chroot implementation and
identified the vulnerability as part of ongoing research into privileged Linux utilities.
Their work included discovery, exploitation, responsible disclosure to the sudo maintainer,
and coordination with MITRE for CVE assignment.
[4.0K] /data/pocs/d6bdb7d2f8c13b78f75dd66e476cc07816837d88
├── [ 999] bipboop.sh
└── [2.9K] README.md
0 directories, 2 files