hngopher.com

       [HN Gopher] CVE-2023-22809: Sudoedit can edit arbitrary files
       ___________________________________________________________________
        
       CVE-2023-22809: Sudoedit can edit arbitrary files
        
       Author : accessvector
       Score  : 31 points
       Date   : 2023-01-19 21:05 UTC (1 hours ago)
        
 (HTM) web link (seclists.org)
 (TXT) w3m dump (seclists.org)
        
       | dejj wrote:
       | Why is this a problem, given that one can easily use sudoedit for
       | privilege escalation already?
       | 
       | edit: I now realize I have confused sudoedit with visudo
        
         | jboy55 wrote:
         | I read it at first take as if it was "CVE-2023-32049: 'su' has
         | critical privilege escalation venerability"
        
         | arp242 wrote:
         | Read the link instead of replying based on the title.
        
       | michalsustr wrote:
       | Why would one prefer to add sudoedit X to sudoers rather than
       | updating file access privileges of X directly?
       | 
       | Just curious about arguments for this use case.
        
         | throw0101c wrote:
         | > _Why would one prefer to add sudoedit X to sudoers rather
         | than updating file access privileges of X directly?_
         | 
         | Permission complications.
         | 
         | Software may run as user:group, but you don't want to add
         | humans to either, and so you allow them to edit a few files as
         | that user or group from their own account (which also gives you
         | auditing of changes). Some software _insists_ on files
         | (directories) have certain permissions so you 're stuff with
         | them.
         | 
         | Or you want a centralized place for permissions, so you put
         | these _sudoedit_ entries in LDAP which can be accessed anywhere
         | in you network, and so you don 't have to keep track of
         | individual file permissions on a gazillion systems.
        
         | eklitzke wrote:
         | Sudo basically has an ACL-like system where you can specify
         | exactly which users/groups can execute which commands as root.
         | So you can say user foo can execute commands X, Y, and Z as
         | root and user bar can execute commands W, Y, and Z as root, and
         | neither user can use sudo to execute any other command as root.
         | The ACL system isn't for sudoedit specifically, it's a general
         | feature of sudo.
         | 
         | As to why you can't just update access privileges of the file,
         | for most use cases you probably could do that. If you need
         | something more complicated though you'll have to use some
         | terrible ACL implementation like the one in sudo or Posix file
         | ACLs.
        
       | throw0101c wrote:
       | I find it handy that most distros have a CVE look-up 'service':
       | 
       | * https://security-tracker.debian.org/tracker/CVE-2023-22809
       | 
       | * https://ubuntu.com/security/CVE-2023-22809
       | 
       | * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-22809
       | 
       | Debian has links to the others.
        
       | tinus_hn wrote:
       | Does this really work? The command is supposed to copy the
       | original file to a temporary file, run the edit command with the
       | privileges of the original user and then copy the edited file
       | over the original. Otherwise what's stopping an attacker from
       | telling the editor to just open another file?
        
         | eklitzke wrote:
         | You're correct but sudoedit itself needs to parse the file list
         | to know which files to copy to temporary files as you describe.
         | So in this case you're tricking sudoedit into thinking you want
         | to edit a different file than the one specified originally on
         | the command line.
        
         | DSMan195276 wrote:
         | Yeah I had the same confusion, the linked PDF explains it.
         | Basically sudo determines the list of files to edit after
         | expanding the `EDITOR` variable into separate arguments, and
         | the `--` in the argument list (added by `sudo`) is used to
         | determine where the file arguments provided to `sudoedit` start
         | in the new argument list.
         | 
         | By adding your own `--` in the `EDITOR` variable, `sudo` gets
         | confused and thinks that `--` is the start of the `sudoedit`
         | file arguments and thus happily copies and edits all the files
         | after it.
        
       | stabbles wrote:
       | I wonder if this bug in _logic_ (instead of buffer overflows)
       | would also have been less likely in a different language. Would
       | it have been more obvious in a language where it 's easier to
       | work with dynamically allocated arrays and strings?
        
         | arp242 wrote:
         | Looking at the patch[1], probably not. There isn't really a lot
         | of complex string handling involved; it's basically just
         | forgetting to forbid "--". I don't really see how any language
         | choice could help you with this.
         | 
         | [1]: https://github.com/sudo-
         | project/sudo/commit/0274a4f3b403162a...
        
           | Yajirobe wrote:
           | goto statement in something as important as sudo? Seriously?
           | Talk about bad practices.
        
         | JoshTriplett wrote:
         | With my Rust hat on: I don't think that Rust would have solved
         | this. It might have made the code in question easier to
         | understand, as you note, but this kind of error can still
         | happen in any language.
        
         | mattpallissard wrote:
         | Doubtful, failing to sanitize your inputs plagues memory safe
         | languages too.
        
         | dllthomas wrote:
         | I don't see a change to language, per se, that would have
         | helped, really.
         | 
         | A system with more of an object capabilities model could have
         | helped, though. The goal wasn't really "let the user run their
         | editor as root (when they ask for it)", but "let the user work
         | with this particular file from their editor (when they ask for
         | it)".
        
       | syrrim wrote:
       | Is there a patch, or more detailed explanation of what causes
       | this?
        
         | nequo wrote:
         | Ubuntu shipped the patch three days ago. The output of `apt
         | changelog sudo` on 22.04 LTS:                 sudo
         | (1.9.9-1ubuntu2.2) jammy-security; urgency=medium
         | * SECURITY UPDATE: arbitrary file overwrite via sudoedit
         | - debian/patches/CVE-2023-22809.patch: do not permit editor
         | arguments             to include -- in
         | plugins/sudoers/editor.c, plugins/sudoers/sudoers.c,
         | plugins/sudoers/visudo.c.           - CVE-2023-22809         *
         | SECURITY UPDATE: DoS via invalid arithmetic shift in Protobuf-c
         | - debian/patches/CVE-2022-33070.patch: only shift unsigned
         | values in             lib/protobuf-c/protobuf-c.c.           -
         | CVE-2022-33070             -- Marc Deslauriers
         | <marc.deslauriers@ubuntu.com>  Mon, 16 Jan 2023 07:36:33 -0500
         | 
         | There is a detailed explanation on the sudo website:
         | https://www.sudo.ws/security/advisories/sudoedit_any/
        
         | slaymaker1907 wrote:
         | There's a detailed writeup mentioned in the post https://www.sy
         | nacktiv.com/sites/default/files/2023-01/sudo-C....
        
       | binkHN wrote:
       | I moved to https://man.openbsd.org/doas long ago.
        
       ___________________________________________________________________
       (page generated 2023-01-19 23:00 UTC)