CVEs Uncovered: Sudoedit Privilege Escalation (CVE-2023-22809)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone and welcome back to the Cyber Rangers cve uncovered video series this is a gripping video series that will take you on a journey through the heart of cyber Security's biggest challenges join us today as we delve deep into the world of common vulnerabilities and exposures also known as cves and reveal the stories behind them most severe security breaches of our time in this episode we'll be taking a closer look at the pseudo edit Linux privilege escalation vulnerability that was discovered in December 2022 and made public in January 2023 the pseudo edit vulnerability assigned the cve code 2023 22809 was discovered by Matthew barle and Victor cilas from the sin active team in December 202 2 the vulnerability was identified in the pseudo edit function for Unix that allows a malicious actor or attacker with pseudo edit privileges to edit arbitrary files that they should not have access to the vulnerability allows a potential bypass of the sudo policy in pseudo versions 1.8.0 to 1.9.12 P1 in this video we're going to be taking a look at how to identify and exploit these sudit to edit vulnerability on Linux in order to elevate our privileges now in order to follow along with the Practical demo you can actually try out the vulnerability exploitation for yourself uh by using the free lab available on Cyber ranges uh and the URL for that will be in the description section so this is a completely free lab uh that you can access just uh visit app. cyber rangers.com and take a look at the community CV playlist uh of which or in which you will actually see the pseudo edit lab so uh you can follow along with the Practical demonstration uh once we've taken a look at a technical analysis of the vulnerability all right so to get started uh before we even begin taking a look at how the vulnerability can be exploited in a more practical sense we need to get an understanding or get a vulnerability overview and take a look at the exploitation steps theoretically to understand exactly what's going on so as you probably know we're going to be exploring the pseudo edit vulnerability uh that was assigned the cve code 2023 22809 and it is pretty much or can be considered a privilege escalation vulnerability so to begin with where did this come from so in December 2022 Matthew barle and Victor cilas from the sin active team discovered a sudu policy bypass in pseudo version 1.9.12 P1 when utilizing pseudo edit it was found that the successful exploitation of the vulnerability or misconfiguration could allow attackers to elevate privileges on Linux by modifying unauthorized files or by modifying files that that user shouldn't uh be able to access for example the Etsy password file taking a closer look at the Timeline we can see that on the 23rd of December 2022 an advisory was sent by by Sy active or the synactive team to Todd Miller who pretty much maintains the pseudo um the pseudo utility or binary on the 5th of January 2023 a patch was released by Todd Miller to pretty much mitigate this vulnerability on the 6th of January 2023 the cve code cve 2023 22809 was assigned to the vulnerability and on the 18th of January 2023 the vulnerability was publicly disclosed uh in terms of the the affected versions of pseudo you can see that the affected versions range from 1.0 uh 1.8.0 to 1.9 uh 12 P1 and patches uh have been made available by most uh major uh Linux distributions so taking a closer look at the vulnerability itself uh let's understand you know what uh pretty much what's going on here so the vulnerability was identified in the pseudo edit function for Unix or Unix based operating systems that essentially allows a malicious attacker with pseudo edit privileges to edit arbitrary files so what this means uh is uh and this ties into the exploitation requirements is if a standard user with no pseudo privileges or no root privileges is assigned a pseudo edit privilege using the sudo file or the sudo functionality uh let's say to you know maybe edit a particular file and that file alone uh then we can pretty much all that pretty much allows that user to elevate their privileges to root by again taking advantage or by exploiting this vulnerability so the vulnerability allows bypass of the pseudo policy in pseudo versions 1.8.0 to 1.9.12 P1 the the vulnerability can only be exploited if the user specified editor uh in the case of pseudo edit contains a double hyphen argument and the reason for this is because it tricks the pseudo front end into treating everything after the double hyphen argument in the editor as the file to be edited even if the sudo policy doesn't permit it so you're pretty much just taking advantage of uh the pseudo edit functionality and uh the functionality that allows users to specify the editor that they would like to use with pseudo edit and uh part of that can be done either manually or you can actually set the environment variable and include the double hyphen argument and specify the file that you'd like to uh edit uh in order to elevate your privileges like the Etsy password file and then after that you can append or you really don't need to append but you can pretty much open up Pudo edit as you would and uh you know try and and modify the file that you were supposed to edit or that user should be allowed to edit and instead of opening that file it'll open up the file uh that you specified either in the environment variable or manually and of course this will all become clear as we take a or when we take a look at the demo so the one thing to understand and if you um if you want to get what causes the vulnerability is pseudo so if you're not familiar with Linux or pseudo um pseudo is pretty much a commandline utility for Unix and Unix based operating systems like Linux and Macos and the utility is used to provide an efficient way to temporarily Grant users privileged access to system resources so that they can run commands that they cannot run under the current privileges associated with the current account okay and moving on to the technical analysis sud sudo can be used to edit privileged files while running the editor as an unprivileged user when pseudo edit is invoked since the sud sudo's policy file determines if the user has permission to edit the specified files normally or traditionally speaking the pseudo policy module passes back an argument to the pseudo front end that contains the editor to execute the edited files and um and that is of course separated by a double hyphen argument so in terms of the exploitation and the exploitation procedures you start off with the policy check so a policy check request is sent by the pseudo front end to the pseudo module indicating that the user has files to be edited once sudo edit is executed the sudo module uses the sudo file to determine whether the user has permission to edit the above files so if the above policy check is successful then the pudos module chooses an editor based on the following variables in the user environment and this is where you can set up the environment variable but you'll typically have the editor variable which is pretty much uh you know standard most of you should know about it you then have the visual editor and the pseudo editor you'll typically see the pseudo edit um editor environment variable set with the editor variable right over here that's typically what you'll see um so if none of them is set then the the default of first program listed in the editor Suds um is used so the module then creates a new argument of the selected editor and splits uh into multiple arguments if the editor has command line options the uh the Double hyphen separator is appended to the argument followed by the list of files to be edited which is finally passed back to the pseudo front end the double hyphen C separator is used by the pseudo front end to determine which files are to be edited the temporary copies um of the files that you would like to edit with sudo edit are created and they're created with the ownership set to the current user once you've made the changes typically speaking with sudo edit and you save the file uh those changes will then made be made to the actual file so in this case uh what this means is that we can pretty much set up an environment uh variable um on a system uh that we have access to uh specifically with a user that has the pseudo edit privilege assigned to them in the sud's file it really doesn't matter what file they're allowed to edit uh we can pretty much take advantage of it uh by by specifying our own editor uh value to the uh editor environment variable and uh you know specifying the file that we would like to it and then just um add appending a double hyphen uh to the end and we can then after that point just open up the pseudo edit command and it'll as expected open up the file that we were supposed to be able to edit but instead of that it'll Al it'll also open up the uh the file that you would like to edit and that's where priv escalation comes into play so it's uh fair to say that the most obvious option is to uh just provide your current user with root privileges by modifying the password file and let's say providing that user account with a user ID of zero so sud sudo uh the pseudo front end creates another argument consisting of all the elements before the double hyphen separator followed by the temporary file parts that the current user executes and finally the temporary files are copied back to the original location and the temporary version are removed and this brings us now to the live demo so I'm going to show you how to get onto the Cyber Rangers platform and how to access the free lab where you can take a look at how to exploit the vulnerability for yourself so uh let me just switch over all right so I'm currently on my browser and the first thing you need to do to get started with cyber ranges is visit the link app. cyber rangers.com if you don't have an account already you can register for one by clicking on this uh button right over here if if you already have an account you can just uh log in with your credentials and uh in my particular case I already have an account but the link uh to the actual platform will be in the description section as well as the lab so once you've created an account and logged in uh you can access the lab by navigating to the community section on the sidebar right over here and you'll see a playlist of labs called cve labs and in there you're going to have a collection of free Labs that you can access like for example the log for Shell vulnerability which we took a look at in a previous video and we then have the cve 2023 22809 pseudo edit privilege escalation lab so you can just click on that and start it and it's going to take a couple of seconds to start by the way the exploitation instructions are also highlighted in the walkth through for this lab uh but we're just going to give it a couple of seconds to maybe a minute to start up and I'm going to show you how you can use the lab all right so once the lab is started uh you will be presented with the following screen uh where you're going to to be taken directly to the overview section so on the left here you're going to have a sidebar that has the overview which is essentially the walkthrough for this lab and uh also contains some lab access guidelines here more of which I'll touch on but the walkth through for this lab will pretty much dive deeper into the vulnerability and the demo that I'll be giving you you then have questions uh pertinent to this particular lab so just to verify your knowledge and understanding of the vulnerability as well as how to identify and exploit it under the service tab is where you'll be able to interact with the system uh in this lab and that is an Ubuntu system that is running the vulnerable version of pseudo and if you go back into the overview you'll see that you'll be provided with access to a uh standard user account called John and this particular user has a uh the pseudo edit privilege assigned to them uh in um in order to or so that they can edit a particular file now in this case the file is not really a uh sensitive file that they should not have access to instead it's going to be the server's message of the Day banner file uh and that makes it you know much more realistic because realistically speaking this is a file that you'd expect uh you know uh the system administrator someone maintaining the server to be able to edit and in this case uh the user John doesn't have any other pseudo privileges or can run any other command or open up any other file uh with root privileges so that's the only thing that uh that they can do or that's the only file that they can modify so you can access the lab by clicking on the drop down here called services and you'll be able to pop up um an open SSH or rather I should say a webshell in your browser that will give you access to the actual um so if I go into options I'm going to allow popups here you can see it's going to give you access to a web SSH session within your browser and once you load that up you can see you'll be taken or provided with a terminal interface into to the lab so the bottom line is that we're assuming that we've gained access to this system and we've gained access to the system using a standard user account and that user is called John so you can see I can type in who am I right over here and we can see that the user is indeed John all right now one thing that I want you to S I want you to see is if I say groups and I say John to see what groups uh John is a part of we're not part of the pseudo group or the wheel group and if we say cat at Cudo for example you can see permission denied and we can use the pseudo L command to list out our privileges for the user John the password for the user John is outlined in the lab access guidelines and that's just pass one two three there we are so you can see that um the user John may run the following commands on Ubuntu uh so they can pretty much utilize the PSE sudo edit command or functionality or function I should say and they can only modify the Etsy message of the day file right over here which pretty much just prints a banner you know message of the day fairly simple to understand the bottom line is if I say pseudo ety password and if I try to modify it um you can see that it's going to tell us uh you know that's not found and if we try to say for example uh sorry pseudo cat Etsy password my bad um it's going to tell us sorry the user John is not allowed to execute that particular binary and they don't have those privileges so we current are an unprivileged user we can do anything if we you know try to cut out the contents of the password file you can see we have the user John here and ideally we would like to elevate our privileges to that of the root user or at least modify this file and change the user ID for the user John to zero uh essentially telling the Linux system that we are the root user so how would we do that well firstly we need to verify you know and check what what version of pseudo is running on this Linux system and indeed you can see that this version 1.9.9 Falls within the affected versions in terms of the pseudo eded vulnerability which is really a pseudo vulnerability so that's the first parameter that we need to check now uh the second parameter obviously if we uh you know if I say cat Etsy and or we just say you know for example pseudo L you can see that the file that we're able to edit is Etsy message of the day so if I say pseudo edit you can see uh pseudo edit Etsy message of the day I can modify that particular file okay so forgot that this is nano so I'm just going to exit uh no I do not want to save the modified Banner if I list out the permissions for ety message of the day the actual file itself um just a second so ety yeah so let's see and we're just going to display that there and uh you know we're going to see let's see we have any message of the day file no we don't so they can pretty much create it but the bottom line is we have that assigned to us and we can leverage this functionality or this particular privilege or permission assigned to this user so if we take a look at the environment variables for the user John we can see that it it really doesn't have any of the environment variables that outl uh that I outl in the slides in that you know the editor is not been defined so in order to take advantage of this vulnerability we can say export and then the variable we want environment variable is called editor right because pseudo edit needs um uh well it doesn't need but you know you can specify what editor you want to use so ideally we can say pseudo edit is equal to uh sorry we're going to export editor so pretty much creating the environment variable and we're going to say editor is equal to and then we specify the editor we would like to use now ideally uh this would all this would be all that You' need to do now to take advantage of the vulnerability we then utilize the double hyphen um right over here and we specify the file that we would like to modify in order to elevate our privileges in that case it would be the Etsy password file and that's pretty much all that we need to do so now if we say display the environment varibles uh you'll be able to see that we have the editor uh environment variable here that's set to utilize vim and modify the Etsy password file so in essence uh we simply just need to say Pudo edit and Etsy message of the day and it'll firstly open up the password file so I'm going to hit enter and there you go so this is a file that we should not be able to modify right now to show you that the changes are uh indeed uh what I would call um we able to make changes as opposed to being read only we can go to the user John here and the only thing that we need to do is just change the user ID so I'm going to insert and I'm going to say change that to zero and then the group ID is going to be zero essentially telling the Linux system that this is a root user and uh from that point on um you know we can pretty much save this so I'm going to say uh right and quit and in this particular case you can see it's going to say please enter or type a command to continue so we've edited it and we're just going to say right and then uh quit there we are and uh so if I just say right and that's been written and then now we can say quit there we are so it's going to tell us that two files to edit and the message of the day was left unchanged so now if I say cat Etsy password right over here you can see that we're able to we have modify that file and now we can pretty much just say uh Su John or super user John put in John's password and we hit enter and we now have root privileges and we've been able to successfully Elevate our privileges so that is an extremely simple uh vulnerability to exploit and by the way you can modify any of the files that ideally should not be able to edit uh with a standard user account so pretty much you can edit any files that the root user owns or the root user alone is allowed to modify and in this case you know we have been able to elevate our privileges so if I say cat ety Shadow for example that's a file that we can't even view as a standard user but in this case you can see that we were able to view it so that is how to identify and exploit the pseudo edit um Linux privilege escalation vulnerability for the purpose of elevating your privileges all right so that brings us to the end of this video thank you very much for watching if you found value in this video then please leave a like if you have any comments or questions you can leave them in the comment section and as I mentioned earlier the lab that we showcased in the Practical demonstration is available for free on the Cyber Rangers platform you can get started by clicking on the link in the description with that being said thank you very much and I'll be seeing you in the next video

Info

Channel: CYBER RANGES

Views: 889

Rating: undefined out of 5

Keywords: cyber security, cybersecurity, cyber range, cyber ranges, cyberranges, hacker exploit, hacking, kali linux, sudoedit, sudoedit linux privilege escalation, sudo, sudo linux, cve-2023-22809, sudoedit exploit

Id: 59-7Msc3lzg

Channel Id: undefined

Length: 21min 28sec (1288 seconds)

Published: Thu Nov 09 2023