https://cve.circl.lu/comments/feed 2025-09-16T20:03:38.970672+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent comments. https://cve.circl.lu/comment/0a71f125-a137-48db-a374-4ea54b4c1e4d 2025-09-16T20:03:38.976823+00:00 Cédric Bonhomme http://cve.circl.lu/user/cedric > **DISCLAIMER** > > This code is for **educational and research purposes only.** > > Do not use it on systems you do not own or have permission to test. > > The author is **not responsible** for any misuse, damage, or legal consequences resulting from the use of this code. # sudo chroot PrivEsc PoC (CVE-2025-32463) [This is an implementation](https://github.com/morgenm/sudo-chroot-CVE-2025-32463) of the sudo chroot vulnerability ([CVE-2025-32463](https://nvd.nist.gov/vuln/detail/CVE-2025-32463)) exploit I wrote in Rust based on [sudo's advisory](https://www.sudo.ws/security/advisories/chroot_bug/) and the [Stratascale advisory](https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot). The exploit allows you to run arbitray code in the form of a shared library due to a bug in how sudo handles chroot. When passing the chroot option to sudo, you can provide a malicious `/etc/nsswitch.conf` file within the chroot directory that tells sudo to load an arbitrary shared object. This PoC abuses this in order to grant root access to an unprivileged user. ## Usage ### Default PrivEsc Payload Using the provided binaries under `Releases`, simply run the following to gain `root`: ```bash ./sudo_chroot_exploit ``` This uses a shared library payload which simply spawns a root shell. ### Custom payloads The payload code (C) is provided under `/payload`. There is also a `Makefile` provided for building the code. You can modify or replace the payload as you see fit. To specify a different payload than the default, you can run the following command: ```bash /sudo_chroot_exploit -i custom_payload.so ``` 2025-07-11T20:44:35.027852+00:00