module

Sudoedit Extra Arguments Priv Esc

Disclosed
2023-01-18
Created
2023-05-23

Description

This exploit takes advantage of a vulnerability in sudoedit, part of the sudo package.
The sudoedit (aka sudo -e) feature mishandles extra arguments passed in the user-provided
environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to
append arbitrary entries to the list of files to process. This can lead to privilege escalation.
by appending extra entries on /etc/sudoers allowing for execution of an arbitrary payload with root
privileges.

Affected versions are 1.8.0 through 1.9.12.p1. However THIS module only works against Ubuntu
22.04 and 22.10.

This module was tested against sudo 1.9.9-1ubuntu2 on Ubuntu 22.04, and
1.9.11p3-1ubuntu1 on Ubuntu 22.10.

Authors

h00die
Matthieu Barjole
Victor Cutillas

Platform

Linux

Architectures

x86, x64

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


msf > use exploit/linux/local/sudoedit_bypass_priv_esc
msf exploit(sudoedit_bypass_priv_esc) > show targets
...targets...
msf exploit(sudoedit_bypass_priv_esc) > set TARGET < target-id >
msf exploit(sudoedit_bypass_priv_esc) > show options
...show and set options...
msf exploit(sudoedit_bypass_priv_esc) > exploit

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.