Rooting with chwoot: Deep Dive into CVE-2025-32463

-


Discovered in Sudo version 1.9.15 and fixed in 1.9.17p1, CVE-2025-32463 is a logic vulnerability that allows an attacker to load arbitrary `.so` libraries via a controlled `nsswitch.conf` path, leveraging unsafe pivot root logic. This blog walks through the vulnerability analysis, control flow trace, and source code references.

Ref:

  • Vulnerability Advisory
  • Exploit
    • Maybe it will not work with you if this happens, try to write your own vulnerable directory, and try the exploit after understanding it.

Background

Sudo is a widely used tool that allows users to run commands with elevated privileges. In version "1.9.15", a vulnerable code path allowed privilege escalation by abusing a (pivot_root + chroot) sequence in combination with dynamic library loading through "nsswitch.conf".

The vulnerable behavior was removed in the patched version 1.9.17p1.

What is NSSwitch

NSS stands for Name Service Switch It's the system responsible for resolving user, group, host, and service information. Controlled by the file: bash Copy Edit "/etc/nsswitch.conf"

When your system calls getpwnam, glibc reads the contents of nsswitch.conf to determine how to locate user data. For example, if we used the following file:

passwd: files systemd

It means using passwd for "/etc/passwd" and "systemd".

Why is this useful in the exploit? If we used the following file

passwd: flexdb

The glibc will try to load "/lib/lbnss_flexdb.so.2" if this file is controlled by the attacker and binary runes with root the attacker will do privilege escalation.

Key Problem

  • pivot_root(): changes the root directory to a user-controlled location (e.g. woot).
  • Later, during authentication after pivot call, these functions are called (check_user → sudo_auth_init → sudo_passwd_init), Sudo uses `dlopen()` to load the NSS shared object "libnss_*.so.2" based on the modified root.
  • This leads to arbitrary ".so" loading, resulting in code execution as root.

Debugging

First to compile "sudo" with debug to be used with GDB, you can remove sudo if not needed and change the path

To use gdb with sudo, in this case, we can use


This is the tree of the exploit directory:

If we used this setup, it would gain root access:

if you checked the above trace call of the functions the issue happen when the binary calls "set_cmnd_path" which call "(un)pivot_root" the call came from "sudoers.c:1104" in debug you can breakpoint on the previous file with the line or "set_cmnd_path+379" and you can breakpoint using the filename and line number because of debug (-g) mode compile.

The "pivot_root" and "unpivot_root" functions from "pivot.c" calls "chroot" to the current directory which we control and here is the issue.

when we continue the execution flow after "pivot_root" after that it will function "check_user" at "sudoers.c:468" and will continue as follows:

The call of "asprintf" from GDB that set the path for "libnss" so path:

the final value will be "libnss_/woot1337.so.2", the call of "__libc_dlopen_mode" from GDB:

You can find the "libnss" so file that we will load "libnss_/woot1337.so.2" and here is the load of the controlled so library that will give us a shell, and you can see the backtrace of the functions.

We compiled the exploit so file with

~$ gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c

And the source code is:

Finally, when we exploit the vulnerability using the following:

The NSS file will be:

Try to do the debugging process by yourself, and you will learn a lot.

Vulnerable Flow – sudo-1.9.15

Here is a high-level trace of the vulnerable control flow starting from main():


Safe Flow – sudo-1.9.17p1

In the patched version, the pivot_root() logic is completely removed

Vulnerability Mechanics

The core vulnerability arises from:
  • Calling "pivot_root()" inside "set_cmnd_path()", effectively sandboxing the process in a new root (woot) current directory.
  • This new root affects how paths are resolved, including NSS ".so" libraries that are dynamically loaded using "dlopen()" based on "nsswitch.conf".
  • dlopen() attempts to load paths like "libnss_files.so.2" under the "new root', allowing the attacker to provide a malicious shared object at the expected location (libnss_*.so.2).

Exploitation Path

  • Write malicious ".so" (e.g., "libnss_/woot1337.so.2") in attacker-controlled root.
  • Modify "nsswitch.conf" to point to "woot1337" in "passwd" line.
  • Trigger sudo with an environment that executes "dlopen()" through "getspnam()".

to check: why we have to add "/" to be "libnss_/woot1337.so.2" why we can not leave it to be "libnss_woot1337.so.2"?

PoC Reminder

You can build a proof-of-concept by:
  • Create folder "libnss_"
  • Creating a fake root with "libnss_/woot1337.so.2"
  • Editing "/etc/nsswitch.conf" to point to "woot1337" under "passwd"
  • Running "sudo" with crafted setup (in a container/VM).

References:

Thanks.




Comments

Post a Comment

Popular posts from this blog

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Let's check the "cockatoo" pwn challenge from Blackhat MEA CTF 2024. Reverse the Binary we note that the binary takes the input byte by byte and there is a counter (i hate static analysts) Dynamic analysis  Let's jump to GDB and see what happened. I set a breakpoint on the road to get the stack address in which our input will be stored, and the following screenshots show our input increase and the counter before the RIP address. and the payload to overwrite the counter and control where the next write will be in the following screenshots  and we added to the counter (16) and could overwrite the RIP now we have to find our gadgets and do a simple execve, right?!!! NOOOOOO Exploit we don't have gadgets for "rdx, rdi, rsi" and we need to do "execve(rdi, rsi, rdx)", but we have "syscall" and "pop rax" so its time for our SROP attack. we...
Read more

[WEB] ASC Wargame CTF 2024 - Challenge Hot Proxy

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) It was a nice CTF, I got 2nd place with my guys: Hissien Misbah ( Twitter ) Mohamed Bebo ( Linkedin ) Sameh ( Linkedin ) Osama Zidan ( Linkedin ) A picture during solving this challenge in the last 5m of the CTF (thinking that we got 1st place). Let's walk through the Web Challenge Hot Proxy, note that we did not solve it during the time of the CTF it was a minute way, let's start. Note: there is no source code in the challenge attachment, I requested it from the author ( @serWazito0 ) thanks to him, challenges files ( ASCWG_2024_CTF ). Note: the flag file in the server and called "flag_<RANDOM>.txt", so we have to get RCE. From the title I know that there is an "SSRF" vulnerability in this challenge and from the description, we know that there is an internal application called "app1" with a route called "/secret" so our target is to access...
Read more

[Debug/Exploit CVE-2022-24355] TP-Link TL-WR940N Stack-based Buffer Overflow

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) We will try to debug and exploit CVE-2022-24355, i wanna thank my friend Sameh ( s4muii ) for his help through this exploit. It was a little bit hard because this is my first time with MIPS. The Exploit on  GitHub . About the Bug TP-Link TL-WR940N router's firmware before v5_211111 is vulnerable to Stack Overflow, the vulnerability in "httpd" binary in function "httpRpmFs" and we can know that from ZDI report (https://www.zerodayinitiative.com/advisories/ZDI-22-265/) we will try to reproduce this finding in firmware "v4_160617" which will be emulated in our device because we do not have the router itself.
Read more