Listen to this Post
The vulnerability stems from an insecure sudoers configuration recommended in SSH documentation for Proxmox VE systems integrating Terraform. A suggested sudoers entry grants the Terraform user password-less root execution of the tee command restricted to the /var/lib/vz/ directory path. This wildcard allowance does not sanitize or prevent directory traversal sequences. Consequently, an authenticated Terraform user can exploit the ../ sequence to escape the intended directory boundary. By crafting a tee command target with ../, such as /var/lib/vz/../../../etc/sudoers.d/sudo, the user can write to any file on the filesystem. The proof-of-concept demonstrates this by piping a new sudoers policy that grants universal root access without a password into the tee command. Since tee executes with root privileges via the sudoers entry, it successfully writes the malicious policy to a system directory. This effectively bypasses all intended restrictions, granting the Terraform user full administrative control over the host. The core issue is the lack of path validation in the sudoers command specification, allowing argument manipulation that leads to arbitrary file write.
Platform: Proxmox VE
Version: All versions
Vulnerability: Sudoers privilege escalation
Severity: Critical
Date: 2024-08-01
Prediction: Patch date TBD
What Undercode Say:
Analytics
sudoers line: terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/
exploit command: echo “ALL=(ALL) NOPASSWD:ALL” | sudo tee /var/lib/vz/../../../etc/sudoers.d/sudo
Exploit
Authenticated terraform user executes path-traversal tee command to write arbitrary sudoers file, gaining root.
Protection from this CVE
Use strict regex sudoers rule: terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/snippets/[A-Za-z0-9-].yaml
Impact
Full system compromise via root access escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

