www.sudo.ws Open in urlscan Pro
2606:4700:20::681a:d79  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open Navigation Close Navigation
Sudo
GitHub Blog Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle
Dark/Light/Auto mode Back to homepage Close Menu Bar Open Menu Bar
 * About Sudo
   * A Short Introduction
   * A Brief History of Sudo
   * Contributors
   * Translations
   * Sudo Plugins
   * Sudo License
   * Sudo Logo
   * Export Controls
 * Releases
   * Stable Release
   * Legacy Release
   * Development Release
   * ChangeLog
 * Getting Sudo
   * Source Repo
   * Source Distribution
   * Prebuilt Packages
   * Download Mirrors
   * Mirroring Sudo
 * Documentation
   * Manual Pages (latest)
     * Cvtsudoers Manual
     * Sudo Configuration Manual
     * Sudo Log Client Manual
     * Sudo Log Server Configuration Manual
     * Sudo Log Server Manual
     * Sudo Log Server Protocol Manual
     * Sudo Manual
     * Sudo Plugin API
     * Sudo Python Plugin API
     * Sudoers LDAP Manual
     * Sudoers Manual
     * Sudoers Time Stamp Manual
     * Sudoreplay Manual
     * Visudo Manual
   * Manual Pages (all versions)
   * README Files
     * README
     * README.LDAP
   * Sudo Installation Notes
   * Sudo Upgrade Notes
   * Contributing to Sudo
   * Troubleshooting FAQ
   * Building Sudo Packages
   * Other Documentation
   * Sudo Alternatives
 * Security
   * Security Advisories
   * Security Policy
   * Static Analysis
   * Fuzzing Sudo

 * Blog
 * Bug Tracker
 * News
 * Mailing Lists
 * GitHub Repo
 * Mercurial Repo
 * Twitter
 * Mastodon
 * Sudo Mastery Book


SUDOEDIT CAN EDIT ARBITRARY FILES

Jan 18, 2023

A flaw in exists in sudo’s -e option (aka sudoedit) that allows a malicious user
with sudoedit privileges to edit arbitrary files.


SUDO VERSIONS AFFECTED:

Sudo versions 1.8.0 through 1.9.12p1 inclusive are affected. Versions of sudo
prior to 1.8.0 construct the argument vector differently and are not affected.


CVE ID:

This vulnerability has been assigned CVE-2023-22809 in the Common
Vulnerabilities and Exposures database.


DETAILS:

When invoked as sudo -e or sudoedit, sudo can be used to edit privileged files
while running the editor as an unprivileged user. The sudoers policy file
determines whether or not a user is allowed to edit the specified files. The
expected behavior is for the sudoers policy module to pass back an argument
vector to the sudo front-end that contains the editor to execute along with the
files to be edited, separated by a “--” argument.

The sequence of events is as follows:

 1. The sudo front-end sends a policy check request to the sudoers module
    indicating that the user has run sudoedit which includes the list of files
    to be edited.

 2. The sudoers policy module uses the sudoers file (or LDAP) to determine
    whether the user is allowed to edit the file(s).

 3. If the policy check succeeds, the sudoers policy module chooses an editor
    based on the SUDO_EDITOR, VISUAL and EDITOR variables in the user’s
    environment. If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first
    program listed in the editor sudoers option is used.

 4. The sudoers module constructs a new argument vector consisting of the
    selected editor. If the editor contains command line options, it is split
    into multiple arguments.

 5. A “--” separator is appended to the argument vector, followed by the list of
    files to be edited. This argument vector is passed back to the sudo
    front-end.

 6. The sudo front-end uses the “--” separator to determine which files are to
    be edited. Temporary copies are made of the files with the owner set to the
    invoking user.

 7. The sudo front-end constructs a new argument vector which consists of all
    the elements before the “--” separator (the editor) followed by the
    temporary file paths. The new argument vector is run as the invoking user.

 8. The temporary files are copied back to their original location and the
    temporary versions are removed.

A vulnerability exists if the user-specified editor also contains a “--”
argument. This will trick the sudo front-end into treating everything after the
“--” argument in the editor as a file to be edited, even if the sudoers policy
would not otherwise allow it.


IMPACT:

Exploitation of the bug requires that the sudoers file be configured to allow
the malicious user to run sudoedit. If no users have been granted access to
sudoedit there is no impact.


WORKAROUND:

It is possible to prevent a user-specified editor from being used by sudoedit by
adding the following line to the sudoers file.

Defaults!sudoedit    env_delete+="SUDO_EDITOR VISUAL EDITOR"


To restrict the editor when editing specific files, a Cmnd_Alias can be used,
for example:

Cmnd_Alias              EDIT_MOTD = sudoedit /etc/motd
Defaults!EDIT_MOTD      env_delete+="SUDO_EDITOR VISUAL EDITOR"
user                    ALL = EDIT_MOTD



FIX:

The bug is fixed in sudo 1.9.12p2. An additional check has been added to ensure
that the user’s editor does not contain a “--” argument.


CREDIT:

Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv for analyzing and
reporting this vulnerability.

Buffer overflow in command line unescaping