Add initial setuid env overflow detection

2025-01-10 15:49:31 +00:00 · 2022-10-30 09:40:31 -04:00 · 2022-10-30 09:40:31 -04:00 · 1652037355
commit 1652037355
parent 46ef9668d7
1 changed files with 13 additions and 5 deletions
--- a/detection/execution/unexpected-env-values-linux.sql
+++ b/detection/execution/unexpected-env-values-linux.sql
@ -6,11 +6,12 @@
 -- WARNING: This query is known to require a higher than average wall time.
 --
 -- tags: transient state
-- interval: 600
+-- interval: 300
 -- platform: linux
-SELECT key,
+SELECT p.pid, p.name,
+  key,
  value,
-  p.pid,
+  LENGTH(value) AS value_len,
  p.path,
  p.cmdline,
  p.parent AS parent_pid,
@ -18,10 +19,11 @@ SELECT key,
 -- Querying processes first and filtering by time gives a massive 20X speed improvement
 -- over querying process_envs first and JOIN'ing against processes
 FROM processes p
-  LEFT JOIN process_envs pe ON p.pid = pe.pid
+  JOIN process_envs pe ON p.pid = pe.pid
+  LEFT JOIN file f ON p.path = f.path
  LEFT JOIN processes pp ON p.parent = pp.pid
 WHERE -- This time should match the interval
-  p.start_time > (strftime('%s', 'now') - 600)
+  p.start_time > (strftime('%s', 'now') - 300)
  AND (
    key = 'HISTFILE'
    AND NOT VALUE LIKE '/home/%/.%_history'
@ -35,4 +37,10 @@ WHERE -- This time should match the interval
    AND NOT pe.value LIKE ':/snap/%'
    AND NOT pe.value LIKE '/app/bin/%'
    AND NOT pe.value LIKE 'libmozsandbox.so%'
+  )
+  -- setuid
+  OR (
+    LENGTH(value) > 1024
+    AND f.mode IS NOT NULL
+    AND f.mode NOT LIKE '0%'
  )