Skip to content

[New Rule] PE via UID INT_MAX Bug #2971

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Aug 3, 2023
Merged

[New Rule] PE via UID INT_MAX Bug #2971

merged 10 commits into from
Aug 3, 2023

Conversation

Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Jul 27, 2023
edited
Loading

Summary

This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID greater than INT_MAX to escalate privileges by spawning a shell through systemd-run.

Detection

process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type : "start" and 
process.name : "systemd-run" and process.args : "-t" and process.args_count >= 3 and user.id >= 1000000000
image

@Aegrah Aegrah self-assigned this Jul 27, 2023
@Aegrah Aegrah mentioned this pull request Jul 30, 2023
Closed
brokensound77
brokensound77 reviewed Aug 2, 2023
View reviewed changes
brokensound77
brokensound77 reviewed Aug 2, 2023
View reviewed changes
brokensound77
brokensound77 reviewed Aug 2, 2023
View reviewed changes
DefSecSentinel
DefSecSentinel approved these changes Aug 3, 2023
View reviewed changes
Copy link
Contributor

@DefSecSentinel DefSecSentinel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Aegrah Aegrah merged commit 7cc841c into main Aug 3, 2023
@Aegrah Aegrah deleted the new-rule-uid-overflow-privesc branch August 3, 2023 13:51
protectionsmachine pushed a commit that referenced this pull request Aug 3, 2023
@Aegrah @github-actions
[New Rule] PE via UID INT_MAX Bug (#2971)
82a4f0b 
* [New Rule] PE via UID INT_MAX Bug

* changed file name

* Should be more decisive

* fix

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

---------

Co-authored-by: Justin Ibarra <[email protected]>
Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit 7cc841c)
protectionsmachine pushed a commit that referenced this pull request Aug 3, 2023
@Aegrah @github-actions
[New Rule] PE via UID INT_MAX Bug (#2971)
c458764 
* [New Rule] PE via UID INT_MAX Bug

* changed file name

* Should be more decisive

* fix

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

---------

Co-authored-by: Justin Ibarra <[email protected]>
Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit 7cc841c)
protectionsmachine pushed a commit that referenced this pull request Aug 3, 2023
@Aegrah @github-actions
[New Rule] PE via UID INT_MAX Bug (#2971)
efa2a23 
* [New Rule] PE via UID INT_MAX Bug

* changed file name

* Should be more decisive

* fix

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

---------

Co-authored-by: Justin Ibarra <[email protected]>
Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit 7cc841c)
protectionsmachine pushed a commit that referenced this pull request Aug 3, 2023
@Aegrah @github-actions
[New Rule] PE via UID INT_MAX Bug (#2971)
550b210 
* [New Rule] PE via UID INT_MAX Bug

* changed file name

* Should be more decisive

* fix

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

---------

Co-authored-by: Justin Ibarra <[email protected]>
Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit 7cc841c)
protectionsmachine pushed a commit that referenced this pull request Aug 3, 2023
@Aegrah @github-actions
[New Rule] PE via UID INT_MAX Bug (#2971)
91f2f6d 
* [New Rule] PE via UID INT_MAX Bug

* changed file name

* Should be more decisive

* fix

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

---------

Co-authored-by: Justin Ibarra <[email protected]>
Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit 7cc841c)
protectionsmachine pushed a commit that referenced this pull request Aug 3, 2023
@Aegrah @github-actions
[New Rule] PE via UID INT_MAX Bug (#2971)
de6ecd0 
* [New Rule] PE via UID INT_MAX Bug

* changed file name

* Should be more decisive

* fix

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

---------

Co-authored-by: Justin Ibarra <[email protected]>
Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit 7cc841c)
protectionsmachine pushed a commit that referenced this pull request Aug 3, 2023
@Aegrah @github-actions
[New Rule] PE via UID INT_MAX Bug (#2971)
fb26656 
* [New Rule] PE via UID INT_MAX Bug

* changed file name

* Should be more decisive

* fix

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <[email protected]>

---------

Co-authored-by: Justin Ibarra <[email protected]>
Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit 7cc841c)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brokensound77 brokensound77 brokensound77 approved these changes

@DefSecSentinel DefSecSentinel DefSecSentinel approved these changes

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

@eric-forte-elastic eric-forte-elastic Awaiting requested review from eric-forte-elastic

Assignees

@Aegrah Aegrah

Labels
backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Aegrah @brokensound77 @DefSecSentinel