In early 2023, a severe local privilege escalation vulnerability—CVE-2023-22809—was discovered in the popular Unix utility sudo, specifically affecting the sudoedit feature. If a user sets certain environment variables like EDITOR, VISUAL, or SUDO_EDITOR to a crafted value, an attacker can manipulate the list of files that sudoedit processes. This exploit gives them a path to escalate privileges on a system.
Let’s break down CVE-2023-22809, how it works, what versions are vulnerable, and how you can test it yourself, using straightforward language and clear examples.
What is Sudoedit?
sudoedit (invoked with the -e or --edit flag) is a part of the sudo tool that lets users safely edit files as another user, most commonly as root, by editing a temporary copy of the file.
To open a file for editing with sudoedit, the user’s preferred editor is selected based on the SUDO_EDITOR, VISUAL, and EDITOR environment variables.
The Core Problem
Prior to version 1.9.12p2, sudoedit did not properly sanitize extra arguments given in these environment variables. By exploiting this, a local user could trick sudoedit into editing more files than originally intended.
Key detail:
If you set your editor to a value like vim -- /etc/passwd, the string after -- is interpreted as extra files to be edited. Normally, the intent is to only edit a single file, but this trick lets you inject arbitrary filenames—even sensitive files.
Affected versions:
`bash
export EDITOR='vim -- /etc/passwd'
`
This tells sudoedit to run: vim -- [file you request to edit] /etc/passwd
What happens:
Instead of just opening myfile.txt, vim will open **both* myfile.txt and /etc/passwd (which is normally root-only).
Result:
If you have sudoedit privileges for less sensitive files, but not for critical files like /etc/passwd, this trick can lead to unauthorized editing of system-protected files—depending on the sudoers setup, this might let you get root!
Proof of Concept
Below is a simple proof-of-concept showing how to exploit this vulnerability (assuming your user has limited sudoedit rights):
# Set up a crafted EDITOR
export EDITOR='vim -- /etc/shadow'
# Use sudoedit on an allowed file
sudoedit myfile.txt
Check vim’s buffers—you’ll see /etc/shadow listed, and you’ll have write access as root!
*Note: Actual effectiveness depends on sudoers configuration and file permissions.*
Why Does This Happen?
Normally, sudoedit tries to prevent you from specifying absolute paths or editing unauthorized files. But by leveraging --, the editor thinks everything afterwards is a filename—so it bypasses checks that would normally prevent such abuse.
The protection mechanism is defeated because sudoedit trusts the entire string in the environment variable as the name of an "editor", and if that string contains spaces and extra filenames, they get passed on to the shell and interpreted as separate arguments.
Real-World Impact
This bug is particularly dangerous in environments where users are allowed to use sudoedit on specific files but not given unrestricted root access. It could let a local attacker escalate to full root privileges.
Upgrade sudo to version 1.9.12p2 or later.
- Alternatively, unset or tightly control the EDITOR, VISUAL, and SUDO_EDITOR environment variables in your environment and in your sudoers policy.
- Consider using Defaults secure_path and env_reset in your /etc/sudoers file for extra security.
References & Further Reading
- Sudo Project Advisory: CVE-2023-22809
- Qualys Security Blog: CVE-2023-22809
- Red Hat Security: CVE-2023-22809
- Exploit-DB PoC 51514
Conclusion
CVE-2023-22809 is a classic example of how trusting user-provided environment variables can end in disaster, even in mature and widely-used utilities like sudo. If you administer Linux or Unix systems, audit your sudo version and policy today, and always keep a wary eye on editor settings in privilege escalation paths.
Stay safe, patch often, and keep your environment locked down!
Timeline
Published on: 01/18/2023 17:15:00 UTC
Last modified on: 04/03/2023 20:15:00 UTC