From 1652037355979697c4f2efaca342c09e2678db62 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sun, 30 Oct 2022 09:40:31 -0400 Subject: [PATCH] Add initial setuid env overflow detection --- .../execution/unexpected-env-values-linux.sql | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/detection/execution/unexpected-env-values-linux.sql b/detection/execution/unexpected-env-values-linux.sql index 93c3a7f..02fc17c 100644 --- a/detection/execution/unexpected-env-values-linux.sql +++ b/detection/execution/unexpected-env-values-linux.sql @@ -6,11 +6,12 @@ -- WARNING: This query is known to require a higher than average wall time. -- -- tags: transient state --- interval: 600 +-- interval: 300 -- platform: linux -SELECT key, +SELECT p.pid, p.name, + key, value, - p.pid, + LENGTH(value) AS value_len, p.path, p.cmdline, p.parent AS parent_pid, @@ -18,10 +19,11 @@ SELECT key, -- Querying processes first and filtering by time gives a massive 20X speed improvement -- over querying process_envs first and JOIN'ing against processes FROM processes p - LEFT JOIN process_envs pe ON p.pid = pe.pid + JOIN process_envs pe ON p.pid = pe.pid + LEFT JOIN file f ON p.path = f.path LEFT JOIN processes pp ON p.parent = pp.pid WHERE -- This time should match the interval - p.start_time > (strftime('%s', 'now') - 600) + p.start_time > (strftime('%s', 'now') - 300) AND ( key = 'HISTFILE' AND NOT VALUE LIKE '/home/%/.%_history' @@ -35,4 +37,10 @@ WHERE -- This time should match the interval AND NOT pe.value LIKE ':/snap/%' AND NOT pe.value LIKE '/app/bin/%' AND NOT pe.value LIKE 'libmozsandbox.so%' + ) + -- setuid + OR ( + LENGTH(value) > 1024 + AND f.mode IS NOT NULL + AND f.mode NOT LIKE '0%' ) \ No newline at end of file