Sudoedit Local Privilege Escalation Vulnerability (CVE-2023–22809)
On January 18th, 2023, Synacktiv released an advisory regarding a vulnerability in sudo (CVE-2023–22809). This vulnerability allows users to escalate their privilege. Once a user has sudo privilege it’s pointless to say that is “what all he can do in that system”!!!!
But to exploit the vulnerability It requires two conditions to be met 1.
- The first condition is that the sudoers policy (or in other words, the system policy for super user elevation) must allow users to edit any individual file on the system using sudoedit or sudo -e.
- The second condition is that users must specify an editor that relies on “ — ” arguments to determine the list of files to edit.
What is sudo?
In a Linux-based system, sudo (short for “super user do”) allows users to run commands that require elevated privileges. An example might be to install updates or to move a file to a protected directory.
How sudo Works?
When a user tries to execute the sudo command, It first checks the user's permissions in a configuration file “/etc/sudoers/” This contains a list of users and their corresponding permissions. If the user is authorized to run the command using “sudo” then they will be asked to enter their password to confirm their identity before the command is executed with elevated privileges. Another way is if the user is listed in the sudoers file with the NOPASSWD option. This allows the user to run either one command or all commands as root without confirming a password.
The detailed Technical analysis of sudo :
From the technical analysis released by SYNACKTIVE, the sudoers program calls the sudoers_policy_main() function, which is responsible for handling the lookup and validation of the policy using the sudoers_lookup() function
Exploitation:-
A vulnerable sudoers policy file would contain a few lines that look something like this:
tester ALL=(root) NOPASSWD: sudoedit /etc/someprivledgedfile
Exploiting Tool:
Whats is the code all about:
Part 1: The code is trying to detect whether the current version is vulnerable or not.
"sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0–9]1?(p[1–3])?|1\.9\.12p1)$'". If it is not vulnerable, print "> Currently installed sudo version is not vulnerable" and exit with error code 1.
fi
Part 2: The second part of the script checks if the current user has permission to run “sudoedit” or “sudo -e” commands with root privileges, which can potentially be used to escalate privileges.
Part3:The third part of the script displays a message instructing the user to add a line to the sudoers file, which allows the current user to run any command with root privileges.
Video of Exploitation:-