Sudo Heap-Based Buffer Overflow Attempt
Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/02/03"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems
13(CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.
14"""
15false_positives = [
16 """
17 This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom
18 scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are
19 affected; if those versions are not present on the endpoint, this could be a false positive.
20 """,
21]
22from = "now-9m"
23index = ["auditbeat-*", "logs-endpoint.events.*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Sudo Heap-Based Buffer Overflow Attempt"
27references = [
28 "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156",
29 "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit",
30 "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw",
31 "https://www.sudo.ws/alerts/unescape_overflow.html",
32]
33risk_score = 73
34rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8"
35severity = "high"
36tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
37type = "threshold"
38
39query = '''
40event.category:process and event.type:start and
41 process.name:(sudo or sudoedit) and
42 process.args:(*\\ and ("-i" or "-s"))
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1068"
50name = "Exploitation for Privilege Escalation"
51reference = "https://attack.mitre.org/techniques/T1068/"
52
53
54[rule.threat.tactic]
55id = "TA0004"
56name = "Privilege Escalation"
57reference = "https://attack.mitre.org/tactics/TA0004/"
58
59[rule.threshold]
60field = ["host.hostname"]
61value = 100
References
Related rules
- Potential JAVA/JNDI Exploitation Attempt
- Potential Privilege Escalation via OverlayFS
- Potential Privilege Escalation via PKEXEC
- Potential Privilege Escalation via Sudoers File Modification
- Setuid / Setgid Bit Set via chmod