CVE-2025-32463 Local Privilege Escalation in Sudo via Malicious nsswitch.conf with sudo -R. Affected versions 1.9.14 – 1.9.17

📘 Introduction

Sudo is a widely used command-line utility on Unix-like systems that allows permitted users to execute commands with elevated privileges. It plays a critical role in enforcing the principle of least privilege and maintaining a secure audit trail of administrative activities.

The Stratascale Cyber Research Unit (CRU) discovered two local privilege escalation vulnerabilities in Sudo, one of which is CVE-2025-32463. This vulnerability affects Sudo versions 1.9.14 through 1.9.17, and allows unprivileged local users to gain root access by abusing the --chroot (-R) option, even if no sudo rules are defined for the user.

This repository provides a Python proof-of-concept (PoC) reimplementation of the original Bash exploit developed by the CRU team. It demonstrates how to achieve arbitrary code execution as root via a crafted nsswitch.conf file inside a user-controlled chroot environment.

🚨 Vulnerability Summary

• CVE ID: CVE-2025-32463

• Affected Software: Sudo (versions 1.9.14 – 1.9.17)

• Vulnerable Feature: --chroot (-R) option

• Impact: Local Privilege Escalation (unprivileged → root)

• Exploitation Prerequisites:

  • No sudo permissions required for the user

  • Ability to run sudo -R on vulnerable versions

  • Patched in: Sudo 1.9.17p1

🧪 Exploit Description

The vulnerability stems from how Sudo processes the nsswitch.conf file inside a chrooted environment. When invoked with the --chroot option, Sudo performs multiple chroot() calls which invoke pivot_root() and that call loads the nsswitch.conf from an attacker-controlled path.

By placing a malicious nsswitch.conf file with a custom NSS source (e.g., passwd: /woot1337) inside the chroot directory, and providing a corresponding malicious shared object (libnss_/woot1337.so.2), an attacker can trick Sudo into loading and executing arbitrary code with root privileges.

⚒️ Usage:

git clone https://github.com/pevinkumar10/CVE-2025-32463

cd CVE-2025-32463

pip3 install -r requirements.txt
python3 exploit.py

🐍 This Python PoC

This Python version replicates the logic of the original Bash PoC by the Stratascale CRU team. It creates a fake root environment, compiles a malicious NSS module, sets up the exploit conditions, and invokes sudo -R to trigger the vulnerability.

The Python reimplementation:

• Automates the entire exploitation chain

• Improves portability and readability

• Retains original exploit behavior and impact

💥 Impact

Any local user on a system running a vulnerable Sudo version (1.9.14 - 1.9.17) can gain root access without needing any sudoers rule. This affects default Sudo configurations.

🛡️ Remediation

• Upgrade to Sudo 1.9.17p1 or later

• Avoid use of the deprecated --chroot option

• Review /etc/sudoers and /etc/sudoers.d for CHROOT= or runchroot= directives

• Audit log files for Sudo commands using CHROOT= via syslog or journal entries

• More details: https://www.sudo.ws/security/advisories/chroot_bug/

📜 Reference & Credit

• Original Bash PoC: Stratascale Cyber Research Unit (CRU)

• Vulnerability Discovered by: Rich Mirch (CRU)

• Maintainer Acknowledgement: Todd C. Miller (Sudo Project)

• Advisory: https://www.sudo.ws/security/advisories/chroot_bug/

⚖️ License

This Python PoC is released under the MIT License. The original exploit concept and disclosure credit belong to the Stratascale Cyber Research Unit.