A flaw in exists in sudo’s -e option (aka sudoedit) that allows a malicious user with sudoedit privileges to edit arbitrary files.
Sudo versions 1.8.0 through 1.9.12p1 inclusive are affected. Versions of sudo prior to 1.8.0 construct the argument vector differently and are not affected.
When invoked as
sudo -e or
sudoedit, sudo can be used to edit
privileged files while running the editor as an unprivileged user.
The sudoers policy file determines whether or not a user is allowed
to edit the specified files.
The expected behavior is for the sudoers policy module to pass back
an argument vector to the sudo front-end that contains the editor
to execute along with the files to be edited, separated by a “--”
The sequence of events is as follows:
The sudo front-end sends a policy check request to the sudoers module indicating that the user has run
sudoeditwhich includes the list of files to be edited.
The sudoers policy module uses the
sudoersfile (or LDAP) to determine whether the user is allowed to edit the file(s).
If the policy check succeeds, the sudoers policy module chooses an editor based on the
EDITORvariables in the user’s environment. If none of
EDITORare set, the first program listed in the editor
sudoersoption is used.
The sudoers module constructs a new argument vector consisting of the selected editor. If the editor contains command line options, it is split into multiple arguments.
A “--” separator is appended to the argument vector, followed by the list of files to be edited. This argument vector is passed back to the sudo front-end.
The sudo front-end uses the “--” separator to determine which files are to be edited. Temporary copies are made of the files with the owner set to the invoking user.
The sudo front-end constructs a new argument vector which consists of all the elements before the “--” separator (the editor) followed by the temporary file paths. The new argument vector is run as the invoking user.
The temporary files are copied back to their original location and the temporary versions are removed.
A vulnerability exists if the user-specified editor also contains a “--” argument. This will trick the sudo front-end into treating everything after the “--” argument in the editor as a file to be edited, even if the sudoers policy would not otherwise allow it.
Exploitation of the bug requires that the sudoers file be configured to allow the malicious user to run sudoedit. If no users have been granted access to sudoedit there is no impact.
It is possible to prevent a user-specified editor from being used
by sudoedit by adding the following line to the
Defaults!sudoedit env_delete+="SUDO_EDITOR VISUAL EDITOR"
To restrict the editor when editing specific files, a Cmnd_Alias can be used, for example:
Cmnd_Alias EDIT_MOTD = sudoedit /etc/motd Defaults!EDIT_MOTD env_delete+="SUDO_EDITOR VISUAL EDITOR" user ALL = EDIT_MOTD
The bug is fixed in sudo 1.9.12p2. An additional check has been added to ensure that the user’s editor does not contain a “--” argument.
Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv for analyzing and reporting this vulnerability.