Sudo chroot

Introduction

The Stratascale Cyber Research Unit (CRU) recently discovered multiple local privilege escalation vulnerabilities in sudo. This research focuses on CVE-2025-32463, a flaw in the rarely used --chroot (-R) option that allows a local user to escalate privileges to root, even in tightly restricted environments where sudo access appears minimal.

What is sudo

On almost every Unix-like system, sudo is a foundational privilege management tool that allows users to execute commands as another user—typically root. It plays a critical role in enforcing the principle of least privilege, enabling administrators to delegate specific administrative tasks without revealing the root password. Additionally, sudo ensures accountability by logging every privileged action to system logs, creating an audit trail essential for monitoring, auditing, and forensic investigations.

On June 28, 2025, security researcher Rich Mirch of the Stratascale Cyber Research Unit disclosed a critical vulnerability in sudo related to its --chroot option. This vulnerability is tracked as:

CVE-2025-32463 — Sudo Chroot Privilege Escalation

This bug was rated critical due to its minimal requirements for exploitation and the complete root compromise it enables.

Summary of the Vulnerability:

• CVSS v3.1 Score: 9.3 (Critical)

• Impact: Allows local privilege escalation to root, even when a user is confined to a chroot environment

• Affected Versions: sudo stable 1.9.14 - 1.9.17

  Exploitation has been verified on:

  • Ubuntu 24.04.1; Sudo 1.9.15p5, Sudo 1.9.16p2

  • Fedora 41 Server; Sudo 1.9.15p5

  Legacy versions (<= 1.8.32) are not affected, as the --chroot feature did not exist prior to sudo 1.9.14.

• Discovered by: Rich Mirch of the Stratascale Cyber Research Unit

• Patched in: sudo 1.9.17p1, released June 30, 2025

Remediation

• Install sudo 1.9.17p1 or later.

• Visit https://www.sudo.ws/security/advisories/chroot_bug for additional information

Impact

The default sudo configuration is vulnerable in versions where the --chroot option is supported. Although this vulnerability involves the sudo -R (chroot) feature, it does not require any custom sudoers rules to be defined for a specific command. If a user is allowed to invoke sudo -R—even with minimal privileges—they may be able to exploit this vulnerability to gain full root access.

This means that any local unprivileged user could potentially escalate privileges to root if a vulnerable version of sudo is installed and the -R option is accessible to them. Importantly, the exploit does not depend on network access, remote code execution, or any kernel-level vulnerability. It abuses how sudo interacts with the Name Service Switch (NSS) mechanism from within a chrooted environment.

Exploitation has been verified on:

• Ubuntu 24.04.1; Sudo 1.9.15p5, Sudo 1.9.16p2

• Fedora 41 Server; Sudo 1.9.15p5

What is chroot

chroot short for “change root”, is a Unix/Linux feature that lets you change the apparent root directory (/) for the current process and its children. It’s often used for sandboxing or recovery environments, but it was never designed as a security feature.

Once inside a chroot, the process sees the specified directory as /, and cannot see or access anything “outside” of it.

You might use chroot when:

• You want to run a program in isolation, away from the real system files

• You're compiling or testing software in a clean environment

• You're setting up a basic development jail for untrusted code

Let’s walk through a basic example to simulate what a chroot environment looks like.

Step 1: Create a fake root directory structure

mkdir -p ~/chroot_env/{bin,lib64,etc}

Step 2: Copy a statically linked binary

cp /bin/bash ~/chroot_env/bin/

Step 3: Enter the chroot

sudo chroot ~/chroot_env /bin/bash

Now inside the chroot:

• Your root / is actually ~/chroot_env/

• Commands like ls, find, and /etc/passwd do not exist unless explicitly copied in

• You’re in a sandboxed view of the filesystem

Here’s what the shell looks like:

user@kali:~$ sudo chroot ~/chroot_env /bin/bash
bash-5.2# cd /
bash-5.2# ls
bash: ls: command not found
bash-5.2# find .
bash: find: command not found
bash-5.2# echo *
bin lib lib64
bash-5.2# echo bin/*
bin/bash

chroot ≠ Security

Even though chroot limits the visible filesystem, it does not prevent privilege escalation or full system access if:

• The process is running as root inside the chroot

• The attacker retains open file descriptors to outside paths

• The program inside the chroot loads libraries or configuration from outside (e.g., NSS)

In fact, this lack of isolation is exactly what makes CVE-2025-32463 dangerous: sudo -R assumes chroot isolation, but under certain conditions, it loads attacker-controlled code as root from outside the chroot.