It shells out to the EDITOR environment variable, which is controlled by the less privileged user.
In this example they inject running an editor against another file.
I'm guessing you can put arbitrary code in there or point it at a locally controlled executable too. But I'm not sure. Maybe sudoedit puts more scrutiny on that variable than most, non-security programs. At any rate many text editors have lots of modules and scripting and can presumably load and execute code as the privileged user.
The workaround is to change the sudo config file to remove the EDITOR environment variable and a few others.
In this example they inject running an editor against another file.
I'm guessing you can put arbitrary code in there or point it at a locally controlled executable too. But I'm not sure. Maybe sudoedit puts more scrutiny on that variable than most, non-security programs. At any rate many text editors have lots of modules and scripting and can presumably load and execute code as the privileged user.
The workaround is to change the sudo config file to remove the EDITOR environment variable and a few others.