Sudo
GitHub Blog Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Sudoedit can edit arbitrary files

A flaw in exists in sudo’s -e option (aka sudoedit) that allows a malicious user with sudoedit privileges to edit arbitrary files.

Sudo versions affected:

Sudo versions 1.8.0 through 1.9.12p1 inclusive are affected. Versions of sudo prior to 1.8.0 construct the argument vector differently and are not affected.

CVE ID:

This vulnerability has been assigned CVE-2023-22809 in the Common Vulnerabilities and Exposures database.

Details:

When invoked as sudo -e or sudoedit, sudo can be used to edit privileged files while running the editor as an unprivileged user. The sudoers policy file determines whether or not a user is allowed to edit the specified files. The expected behavior is for the sudoers policy module to pass back an argument vector to the sudo front-end that contains the editor to execute along with the files to be edited, separated by a “--” argument.

The sequence of events is as follows:

  1. The sudo front-end sends a policy check request to the sudoers module indicating that the user has run sudoedit which includes the list of files to be edited.

  2. The sudoers policy module uses the sudoers file (or LDAP) to determine whether the user is allowed to edit the file(s).

  3. If the policy check succeeds, the sudoers policy module chooses an editor based on the SUDO_EDITOR, VISUAL and EDITOR variables in the user’s environment. If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers option is used.

  4. The sudoers module constructs a new argument vector consisting of the selected editor. If the editor contains command line options, it is split into multiple arguments.

  5. A “--” separator is appended to the argument vector, followed by the list of files to be edited. This argument vector is passed back to the sudo front-end.

  6. The sudo front-end uses the “--” separator to determine which files are to be edited. Temporary copies are made of the files with the owner set to the invoking user.

  7. The sudo front-end constructs a new argument vector which consists of all the elements before the “--” separator (the editor) followed by the temporary file paths. The new argument vector is run as the invoking user.

  8. The temporary files are copied back to their original location and the temporary versions are removed.

A vulnerability exists if the user-specified editor also contains a “--” argument. This will trick the sudo front-end into treating everything after the “--” argument in the editor as a file to be edited, even if the sudoers policy would not otherwise allow it.

Impact:

Exploitation of the bug requires that the sudoers file be configured to allow the malicious user to run sudoedit. If no users have been granted access to sudoedit there is no impact.

Workaround:

It is possible to prevent a user-specified editor from being used by sudoedit by adding the following line to the sudoers file.

Defaults!sudoedit    env_delete+="SUDO_EDITOR VISUAL EDITOR"

To restrict the editor when editing specific files, a Cmnd_Alias can be used, for example:

Cmnd_Alias              EDIT_MOTD = sudoedit /etc/motd
Defaults!EDIT_MOTD      env_delete+="SUDO_EDITOR VISUAL EDITOR"
user                    ALL = EDIT_MOTD

Fix:

The bug is fixed in sudo 1.9.12p2. An additional check has been added to ensure that the user’s editor does not contain a “--” argument.

Credit:

Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv for analyzing and reporting this vulnerability.

Buffer overflow in command line unescaping Double free with per-command chroot sudoers rules