DISCLAIMER

This code is for educational and research purposes only.

Do not use it on systems you do not own or have permission to test.

The author is not responsible for any misuse, damage, or legal consequences resulting from the use of this code.

sudo chroot PrivEsc PoC (CVE-2025-32463)

This is an implementation of the sudo chroot vulnerability (CVE-2025-32463) exploit I wrote in Rust based on sudo's advisory and the Stratascale advisory. The exploit allows you to run arbitray code in the form of a shared library due to a bug in how sudo handles chroot.

When passing the chroot option to sudo, you can provide a malicious /etc/nsswitch.conf file within the chroot directory that tells sudo to load an arbitrary shared object. This PoC abuses this in order to grant root access to an unprivileged user.

Usage

Default PrivEsc Payload

Using the provided binaries under Releases, simply run the following to gain root:

./sudo_chroot_exploit

This uses a shared library payload which simply spawns a root shell.

Custom payloads

The payload code (C) is provided under /payload. There is also a Makefile provided for building the code. You can modify or replace the payload as you see fit. To specify a different payload than the default, you can run the following command:

/sudo_chroot_exploit -i custom_payload.so