Overview
A new vulnerability has been discovered within sudo versions 1.8.0 through 1.9.12.p1. This issue occurs because the sudoedit feature mishandles the contents of user controlled environment variables. If one of these environment variables contains a “–” every following argument will be taken as a file to process.
Exploitation
In order to exploit this vulnerability the user must have some sudoedit privileges. If a user has sudoedit privileges then exploitation is as simple as modifying the EDITOR environment variable.
First in order to be able to exploit this vulnerability the user must have some sudoedit permissions, there must be an entry similar to this in your /etc/sudoers file.
In most scenarios you won’t be able to view the the /etc/sudoers file. Instead you would use the sudo -l command to check your users sudo permissions.
Now that we know we have sudoedit permissions all we need to do is modify our EDITOR environment variable and run sudoedit, in this case we will modify /etc/passwd to add a new root user to the box.
With our newly added root user all we have to do is switch users to get a root shell.
Remediation
A patch has already been released for this exploit, all you need to do to protect your self is update sudo. If you are unable to update sudo for whatever reason you can still protect yourself by preventing user-specified editors from being used with sudoedit by adding the following entry to your sudoers file.
Defaults!sudoedit env_delete+="SUDO_EDITOR VISUAL EDITOR"References
https://www.sudo.ws/security/advisories/sudoedit_any/
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf