Potential Privilege Escalation via UID INT_MAX Bug Detected
This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID greater than INT_MAX to escalate privileges by spawning a shell through systemd-run.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/07/27"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/07/27"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum
13allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID
14greater than INT_MAX to escalate privileges by spawning a shell through systemd-run.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Privilege Escalation via UID INT_MAX Bug Detected"
21references = [
22 "https://twitter.com/paragonsec/status/1071152249529884674",
23 "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh",
24 "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"]
25risk_score = 47
26rule_id = "d55436a8-719c-445f-92c4-c113ff2f9ba5"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31query = '''
32process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
33process.name == "systemd-run" and process.args == "-t" and process.args_count >= 3 and user.id >= "1000000000"
34'''
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38
39[[rule.threat.technique]]
40id = "T1068"
41name = "Exploitation for Privilege Escalation"
42reference = "https://attack.mitre.org/techniques/T1068/"
43
44[rule.threat.tactic]
45id = "TA0004"
46name = "Privilege Escalation"
47reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
Security Research. Contribute to mirchr/security-research development by creating an account on GitHub.
Read More -
This issue was initially created at https://github.com/systemd/systemd/issues/11026; crossposting it here as it seems to be a polkit issue: systemd version the...
Read More
Related rules
- Cron Job Created or Changed by Previously Unknown Process
- Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable
- Kernel Load or Unload via Kexec Detected
- Modification of Dynamic Linker Preload Shared Object
- Namespace Manipulation Using Unshare