[HN Gopher] CVE-2023-22809: Sudoedit can edit arbitrary files ___________________________________________________________________ CVE-2023-22809: Sudoedit can edit arbitrary files Author : accessvector Score : 31 points Date : 2023-01-19 21:05 UTC (1 hours ago) (HTM) web link (seclists.org) (TXT) w3m dump (seclists.org) | dejj wrote: | Why is this a problem, given that one can easily use sudoedit for | privilege escalation already? | | edit: I now realize I have confused sudoedit with visudo | jboy55 wrote: | I read it at first take as if it was "CVE-2023-32049: 'su' has | critical privilege escalation venerability" | arp242 wrote: | Read the link instead of replying based on the title. | michalsustr wrote: | Why would one prefer to add sudoedit X to sudoers rather than | updating file access privileges of X directly? | | Just curious about arguments for this use case. | throw0101c wrote: | > _Why would one prefer to add sudoedit X to sudoers rather | than updating file access privileges of X directly?_ | | Permission complications. | | Software may run as user:group, but you don't want to add | humans to either, and so you allow them to edit a few files as | that user or group from their own account (which also gives you | auditing of changes). Some software _insists_ on files | (directories) have certain permissions so you 're stuff with | them. | | Or you want a centralized place for permissions, so you put | these _sudoedit_ entries in LDAP which can be accessed anywhere | in you network, and so you don 't have to keep track of | individual file permissions on a gazillion systems. | eklitzke wrote: | Sudo basically has an ACL-like system where you can specify | exactly which users/groups can execute which commands as root. | So you can say user foo can execute commands X, Y, and Z as | root and user bar can execute commands W, Y, and Z as root, and | neither user can use sudo to execute any other command as root. | The ACL system isn't for sudoedit specifically, it's a general | feature of sudo. | | As to why you can't just update access privileges of the file, | for most use cases you probably could do that. If you need | something more complicated though you'll have to use some | terrible ACL implementation like the one in sudo or Posix file | ACLs. | throw0101c wrote: | I find it handy that most distros have a CVE look-up 'service': | | * https://security-tracker.debian.org/tracker/CVE-2023-22809 | | * https://ubuntu.com/security/CVE-2023-22809 | | * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-22809 | | Debian has links to the others. | tinus_hn wrote: | Does this really work? The command is supposed to copy the | original file to a temporary file, run the edit command with the | privileges of the original user and then copy the edited file | over the original. Otherwise what's stopping an attacker from | telling the editor to just open another file? | eklitzke wrote: | You're correct but sudoedit itself needs to parse the file list | to know which files to copy to temporary files as you describe. | So in this case you're tricking sudoedit into thinking you want | to edit a different file than the one specified originally on | the command line. | DSMan195276 wrote: | Yeah I had the same confusion, the linked PDF explains it. | Basically sudo determines the list of files to edit after | expanding the `EDITOR` variable into separate arguments, and | the `--` in the argument list (added by `sudo`) is used to | determine where the file arguments provided to `sudoedit` start | in the new argument list. | | By adding your own `--` in the `EDITOR` variable, `sudo` gets | confused and thinks that `--` is the start of the `sudoedit` | file arguments and thus happily copies and edits all the files | after it. | stabbles wrote: | I wonder if this bug in _logic_ (instead of buffer overflows) | would also have been less likely in a different language. Would | it have been more obvious in a language where it 's easier to | work with dynamically allocated arrays and strings? | arp242 wrote: | Looking at the patch[1], probably not. There isn't really a lot | of complex string handling involved; it's basically just | forgetting to forbid "--". I don't really see how any language | choice could help you with this. | | [1]: https://github.com/sudo- | project/sudo/commit/0274a4f3b403162a... | Yajirobe wrote: | goto statement in something as important as sudo? Seriously? | Talk about bad practices. | JoshTriplett wrote: | With my Rust hat on: I don't think that Rust would have solved | this. It might have made the code in question easier to | understand, as you note, but this kind of error can still | happen in any language. | mattpallissard wrote: | Doubtful, failing to sanitize your inputs plagues memory safe | languages too. | dllthomas wrote: | I don't see a change to language, per se, that would have | helped, really. | | A system with more of an object capabilities model could have | helped, though. The goal wasn't really "let the user run their | editor as root (when they ask for it)", but "let the user work | with this particular file from their editor (when they ask for | it)". | syrrim wrote: | Is there a patch, or more detailed explanation of what causes | this? | nequo wrote: | Ubuntu shipped the patch three days ago. The output of `apt | changelog sudo` on 22.04 LTS: sudo | (1.9.9-1ubuntu2.2) jammy-security; urgency=medium | * SECURITY UPDATE: arbitrary file overwrite via sudoedit | - debian/patches/CVE-2023-22809.patch: do not permit editor | arguments to include -- in | plugins/sudoers/editor.c, plugins/sudoers/sudoers.c, | plugins/sudoers/visudo.c. - CVE-2023-22809 * | SECURITY UPDATE: DoS via invalid arithmetic shift in Protobuf-c | - debian/patches/CVE-2022-33070.patch: only shift unsigned | values in lib/protobuf-c/protobuf-c.c. - | CVE-2022-33070 -- Marc Deslauriers | <marc.deslauriers@ubuntu.com> Mon, 16 Jan 2023 07:36:33 -0500 | | There is a detailed explanation on the sudo website: | https://www.sudo.ws/security/advisories/sudoedit_any/ | slaymaker1907 wrote: | There's a detailed writeup mentioned in the post https://www.sy | nacktiv.com/sites/default/files/2023-01/sudo-C.... | binkHN wrote: | I moved to https://man.openbsd.org/doas long ago. ___________________________________________________________________ (page generated 2023-01-19 23:00 UTC)