Exploiting sudoedit security flaw (CVE-2023-22809)

While auditing sudo, Synacktiv identified a privilege escalation in sudoedit when a user is authorized to use it by the sudoers policy. This vulnerability was assigned CVE-2023-22809 and affects Sudo versions 1.8.0 through 1.9.12p1 inclusive.

Sudo uses user-provided environment variables to let its users select their editor of choice. The content of these variables extends the actual command passed to the sudo_edit() function. However, the latter relies on the presence of the -- argument to determine the list of files to edit. The injection of an extra -- argument in one of the authorized environment variables can alter this list and lead to privilege escalation by editing any other file with privileges of the RunAs user. This issue occurs after the sudoers policy validation.

The sequence of events:

1.????The sudo front-end sends a policy check request to the sudoers module indicating that the user has run sudoedit which includes the list of files to be edited.

2.????The sudoers policy module uses the sudoers file (or LDAP) to determine whether the user is allowed to edit the file(s).

3.????If the policy check succeeds, the sudoers policy module chooses an editor based on the SUDO_EDITOR, VISUAL and EDITOR variables in the user’s environment. If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers option is used.

4.????The sudoers module constructs a new argument vector consisting of the selected editor. If the editor contains command line options, it is split into multiple arguments.

5.????A “--” separator is appended to the argument vector, followed by the list of files to be edited. This argument vector is passed back to the sudo front-end.

6.????The sudo front-end uses the “--” separator to determine which files are to be edited. Temporary copies are made of the files with the owner set to the invoking user.

7.????The sudo front-end constructs a new argument vector which consists of all the elements before the “--” separator (the editor) followed by the temporary file paths. The new argument vector is run as the invoking user.

8.????The temporary files are copied back to their original location and the temporary versions are removed.

As seen below, the user ‘usman’ is given the sudoedit privileges to use it only on the ‘/etc/crontab’ file.

By leveraging the environment variables called in the sudo source code functions, the user ‘usman’ modifies the ‘EDITOR’ variable to open the ‘etc/shadow’ file using the nano editor by utilizing the sudoedit attribute of sudo.

This shouldn’t be possible since ‘usman’ does not have the privileges to use ‘sudoedit’ on the ‘/etc/shadow’ file; but the ‘double dash’ before ‘/etc/shadow’ helps the user to bypass the privilege validation check.

The command “EDITOR=’nano -- /etc/shadow’ sudoedit /etc/crontab” helps the user to bypass the privilege validation check because the validation check is done on ‘sudoedit /etc/crontab’ part of the command which the user is allowed to use, bypassing this check the user can now open up the ’/etc/shadow’ file and can edit it using nano.

Impact

This vulnerability allows a user authorized to edit a file using sudoedit to edit other files as the configured RunAs user. If no users have been granted access to sudoedit there is no impact.

Solution

The bug is fixed in sudo 1.9.12p2. An additional check has been added to ensure that the user’s editor does not contain a “--” argument.

References

• https://seclists.org/oss-sec/2023/q1/42
• https://www.sudo.ws/security/advisories/sudoedit_any/#impact
• https://hacksheets.in/categories/latest-security-vulnerabilities/
• https://iwf1.com/meet-sudoedit-linux-tool-how-to-use-it-and-for-what-purpose