CVE CyberSecurity Database News

CVE-2023-27320 - Double Free Vulnerability in Sudo’s Per-Command `chroot` (Before 1.9.13p2)

Poster -

In early 2023, security researchers discovered a significant vulnerability in sudo, a core Unix/Linux command that lets users run commands with elevated privileges. Recorded under CVE-2023-27320, this flaw impacts sudo versions before 1.9.13p2 and involves a double free bug in the relatively new per-command chroot feature.

Let’s break down what this means, why it matters, how the exploit works, and how you can protect yourself — with real code snippets and simple explanations.

What is sudo’s Per-Command chroot?

Starting with sudo 1.9.8, you can define chroot for individual rules in the /etc/sudoers file, like this:

johndoe ALL=(ALL) CHROOT=/my/sandbox /usr/bin/id

This limits the command to a certain part of the filesystem, acting as a basic security boundary.

The Vulnerability: Double Free Explained

A double free bug happens when software tries to free (deallocate) the same chunk of memory twice. This can lead to arbitrary code execution — hackers can use it to run their malicious code as root.

In this case, if a user run a command in a way that triggers the per-command chroot path to be set and then freed more than once, sudo may attempt to free already released memory, potentially opening the door to exploitation.

Below is a simplified version (not the full code) from src/exec.c

if (user_chroot) {
    free(user_chroot);
    user_chroot = NULL;
}
...
if (user_chroot) {
    free(user_chroot); // <- second free!
    user_chroot = NULL;
}

If certain logic conditions are met, free() is called twice on the same pointer.

Who’s Affected?

* All sudo versions before 1.9.13p2
* Systems using per-command chroot in their sudoers rules

Craft a command or input that causes internal logic to hit the double free path

3. Through heap manipulation tricks, use the double free to write arbitrary values or control execution flow

Proof-of-Concept

As of posting, there isn’t a widespread public exploit, but here’s how an attempt *might* look in pseudocode:

sudo -CHROOT=/fakechroot id
# Sudo’s double free triggers in handling the fake chroot

Actual exploitation would need heap grooming and more advanced memory control, likely via a custom C program. For reference, check out double free exploit techniques and how heap exploits work.

Official References

- Sudo Security Advisory (CVE-2023-27320)
- Debian Security Tracker: CVE-2023-27320
- NVD: CVE-2023-27320
- Mitre CVE Record
- GitHub patch PR

`

2. Check your /etc/sudoers for use of per-command chroot.

TL;DR

* CVE-2023-27320 is a double free bug in sudo's per-command chroot feature, allowing possible local root exploits.
* It affects all unpatched sudo versions before 1.9.13p2.
* Patch ASAP and review your sudoers settings.

Stay up to date, stay safe.

> This is an exclusive, original summary of CVE-2023-27320 for the everyday sysadmin and developer community.

Timeline

Published on: 02/28/2023 18:15:00 UTC
Last modified on: 04/13/2023 17:15:00 UTC