{"uuid": "0a71f125-a137-48db-a374-4ea54b4c1e4d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "Proof Of Concept for CVE-2025-32463", "description": "> **DISCLAIMER**\n>\n> This code is for **educational and research purposes only.** \n>\n> Do not use it on systems you do not own or have permission to test.\n>\n> The author is **not responsible** for any misuse, damage, or legal consequences resulting from the use of this code.\n\n# sudo chroot PrivEsc PoC (CVE-2025-32463) \n\n[This is an implementation](https://github.com/morgenm/sudo-chroot-CVE-2025-32463) of the sudo chroot vulnerability ([CVE-2025-32463](https://nvd.nist.gov/vuln/detail/CVE-2025-32463)) exploit I wrote in Rust based on [sudo's advisory](https://www.sudo.ws/security/advisories/chroot_bug/) and the [Stratascale advisory](https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot). \nThe exploit allows you to run arbitray code in the form of a shared library due to a bug in how sudo handles chroot.\n\nWhen passing the chroot option to sudo, you can provide a malicious `/etc/nsswitch.conf` file within the chroot directory that tells sudo to load an arbitrary shared object. This PoC abuses this in order to grant root access to an unprivileged user. \n\n## Usage\n### Default PrivEsc Payload\nUsing the provided binaries under `Releases`, simply run the following to gain `root`:\n\n```bash\n./sudo_chroot_exploit\n```\n\nThis uses a shared library payload which simply spawns a root shell.\n\n### Custom payloads\nThe payload code (C) is provided under `/payload`. There is also a `Makefile` provided for building the code. You can modify or replace the payload as you see fit.\nTo specify a different payload than the default, you can run the following command:\n```bash\n/sudo_chroot_exploit -i custom_payload.so\n```", "description_format": "markdown", "vulnerability": "CVE-2025-32463", "creation_timestamp": "2025-07-11T20:44:35.027852+00:00", "timestamp": "2025-07-11T20:44:35.027852+00:00", "related_vulnerabilities": ["CVE-2025-32463"], "meta": [{"ref": ["https://github.com/morgenm/sudo-chroot-CVE-2025-32463"]}], "author": {"login": "cedric", "name": "C\u00e9dric Bonhomme", "uuid": "af0120d0-3dac-4a6a-974b-a9f33d2a9846"}}