Merge pull request #302 from JD2344/sudoedit

Add sudoedit vulnerability - CVE-2023-22809

modules/vulnerabilities/unix/local/sudoedit/manifests/install.pp

@@ -0,0 +1,47 @@
+class sudoedit::install {
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $leaked_filenames = $secgen_parameters['leaked_filenames']
+  $strings_to_leak = $secgen_parameters['strings_to_leak']
+  $username = $secgen_parameters['unix_username'][0]
+  $password = $secgen_parameters['used_password'][0]
+
+  # Magic touch
+  # EDITOR='nano -- /etc/sudoers' sudoedit /etc/hosts
+
+  # This exploit relies on a user being in sudo group but we dont want access to everything! :) 
+  exec { 'goodbye-sudo':
+    command => "sed -i 's/%sudo/%root/' /etc/sudoers"
+  }
+  -> user { $username:
+    ensure   => present,
+    managehome => true,
+    # Make sure we are in the sudo group
+    groups => 'sudo',
+    shell    => '/bin/bash',
+    password => pw_hash($password, 'SHA-512', 'mysalt'),
+  }
+  # Let access to the hosts file via sudoedit
+  -> exec { 'i-can-edit-now':
+    command => "echo '${username} ALL=(ALL:ALL) sudoedit /etc/hosts' >> /etc/sudoers"
+  }
+  -> file { '/tmp/sudo_1.8.26-2_amd64.deb':
+    ensure => file,
+    source => 'puppet:///modules/sudoedit/sudo_1.8.26-2_amd64.deb',
+  }
+  -> package { 'downgrade sudo':
+    ensure   => installed,
+    provider => dpkg,
+    source   => '/tmp/sudo_1.8.26-2_amd64.deb'
+  }
+
+  # Leak a file containing a string/flag to /root/
+  ::secgen_functions::leak_files { 'sudoedit-file-leak':
+    storage_directory => '/root',
+    leaked_filenames => $leaked_filenames,
+    strings_to_leak => $strings_to_leak,
+    leaked_from => "",
+    mode => '0600'
+  }
+}

modules/vulnerabilities/unix/local/sudoedit/secgen_metadata.xml

@@ -0,0 +1,72 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+    <name>Sudoedit Escalation</name>
+    <author>James Davis</author>
+    <module_license>MIT</module_license>
+    <description>In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments
+        passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR),
+        allowing a local attacker to append arbitrary entries to the list of files to process. This
+        can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem
+        exists because a user-specified editor may contain a "--" argument that defeats a protection
+        mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
+    </description>
+
+    <type>local_priv_escal</type>
+    <privilege>root_rwx</privilege>
+    <access>local</access>
+    <platform>linux</platform>
+    <difficulty>medium</difficulty>
+
+    <read_fact>strings_to_leak</read_fact>
+    <read_fact>leaked_filenames</read_fact>
+
+    <default_input into="strings_to_leak">
+        <generator type="flag_generator" />
+    </default_input>
+
+    <default_input into="leaked_filenames">
+        <generator type="filename_generator" />
+    </default_input>
+
+    <default_input into="unix_username">
+        <generator type="username_generator" />
+    </default_input>
+
+    <default_input into="used_password">
+        <value>tiaspbiqe2r</value>
+    </default_input>
+
+    <conflict>
+        <name>.*Stretch.*</name>
+    </conflict>
+    <conflict>
+        <name>.*Kali.*</name>
+    </conflict>
+    <conflict>
+        <name>.*Windows.*</name>
+    </conflict>
+    <conflict>
+        <name>.*Ubuntu.*</name>
+    </conflict>
+
+    <CyBOK KA="MAT" topic="Attacks and exploitation">
+        <keyword>EXPLOITATION</keyword>
+        <keyword>EXPLOITATION FRAMEWORKS</keyword>
+    </CyBOK>
+    <CyBOK KA="SS" topic="Categories of Vulnerabilities">
+        <keyword>CVEs and CWEs</keyword>
+    </CyBOK>
+    <CyBOK KA="SOIM" topic="PENETRATION TESTING">
+        <keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
+        <keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
+    </CyBOK>
+    <CyBOK KA="AB" topic="Models">
+        <keyword>kill chains</keyword>
+    </CyBOK>
+    <CyBOK KA="MAT" topic="Malicious Activities by Malware">
+        <keyword>cyber kill chain</keyword>
+    </CyBOK>
+</vulnerability>

modules/vulnerabilities/unix/local/sudoedit/sudoedit.pp

@@ -0,0 +1 @@
+include sudoedit::install

scenarios/examples/vulnerability_examples/sudoedit.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+    <system>
+        <system_name>sudoedit</system_name>
+        <base distro="Debian 10" type="desktop" name="KDE" />
+
+        <input into_datastore="IP_addresses">
+            <!-- 0 web_server -->
+            <value>172.16.0.2</value>
+        </input>
+
+        <vulnerability module_path=".*/sudoedit" />
+
+        <input into_datastore="spoiler_admin_pass">
+            <generator type="strong_password_generator" />
+        </input>
+        <build type="cleanup">
+            <input into="root_password">
+                <datastore>spoiler_admin_pass</datastore>
+            </input>
+        </build>
+
+        <network type="private_network">
+            <input into="IP_address">
+                <datastore access="0">IP_addresses</datastore>
+            </input>
+        </network>
+    </system>
+</scenario>