rta/sudo_exploit.py

# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.

import sys

from . import RtaMetadata, common

metadata = RtaMetadata(
    uuid="da35cb80-dad9-4995-ac11-6a408843cd12",
    platforms=["linux", "macos"],
    endpoint=[
        {"rule_name": "Sudo Heap-Based Buffer Overflow Attempt", "rule_id": "95718a3c-edc7-46ef-978b-77891ca6198f"},
    ],
    siem=[{"rule_name": "Sudo Heap-Based Buffer Overflow Attempt", "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8"}],
    techniques=["T1068", "T1059"],
)


@common.requires_os(*metadata.platforms)
def main() -> None:
    common.log(
        "Executing command to simulate attempted use of a heap-based buffer overflow vulnerability for the "
        "Sudo binary in Unix-like systems(CVE-2021-3156)",
    )
    # The exploit reproduction is available
    # https://www.sudo.ws/security/advisories/unescape_overflow/
    # https://blog.aquasec.com/cve-2021-3156-sudo-vulnerability-allows-root-privileges

    masquerade = "/tmp/sudo"
    if common.CURRENT_OS == "macos":
        common.create_macos_masquerade(masquerade)
    else:
        source = common.get_path("bin", "linux.ditto_and_spawn")
        common.copy_file(source, masquerade)

    common.log("Launching fake xargs command to execute Sudo Heap-Based Buffer Overflow Attempt")
    common.execute([masquerade, "-s", "sudoedit", "*\\\\"], timeout=10, kill=True)

    # cleanup
    common.remove_file(masquerade)


if __name__ == "__main__":
    sys.exit(main())
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00			`# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one`
			`# or more contributor license agreements. Licensed under the Elastic License`
			`# 2.0; you may not use this file except in compliance with the Elastic License`
			`# 2.0.`

react_sync_rta_updates_3575 (#3762 ) 2024-06-06 14:42:37 -04:00			`import sys`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00
react_sync_rta_updates_3575 (#3762 ) 2024-06-06 14:42:37 -04:00			`from . import RtaMetadata, common`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00
			`metadata = RtaMetadata(`
			`uuid="da35cb80-dad9-4995-ac11-6a408843cd12",`
			`platforms=["linux", "macos"],`
			`endpoint=[`
react_sync_rta_updates_3575 (#3762 ) 2024-06-06 14:42:37 -04:00			`{"rule_name": "Sudo Heap-Based Buffer Overflow Attempt", "rule_id": "95718a3c-edc7-46ef-978b-77891ca6198f"},`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00			`],`
			`siem=[{"rule_name": "Sudo Heap-Based Buffer Overflow Attempt", "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8"}],`
			`techniques=["T1068", "T1059"],`
			`)`


Updated common.requires_os calls (#3109 ) 2023-10-03 10:47:58 -04:00			`@common.requires_os(*metadata.platforms)`
react_sync_rta_updates_3575 (#3762 ) 2024-06-06 14:42:37 -04:00			`def main() -> None:`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00			`common.log(`
			`"Executing command to simulate attempted use of a heap-based buffer overflow vulnerability for the "`
react_sync_rta_updates_3575 (#3762 ) 2024-06-06 14:42:37 -04:00			`"Sudo binary in Unix-like systems(CVE-2021-3156)",`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00			`)`
			`# The exploit reproduction is available`
			`# https://www.sudo.ws/security/advisories/unescape_overflow/`
			`# https://blog.aquasec.com/cve-2021-3156-sudo-vulnerability-allows-root-privileges`

react_sync_rta_updates_3575 (#3762 ) 2024-06-06 14:42:37 -04:00			`masquerade = "/tmp/sudo"`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00			`if common.CURRENT_OS == "macos":`
			`common.create_macos_masquerade(masquerade)`
			`else:`
react_sync_rta_updates_3575 (#3762 ) 2024-06-06 14:42:37 -04:00			`source = common.get_path("bin", "linux.ditto_and_spawn")`
			`common.copy_file(source, masquerade)`

			`common.log("Launching fake xargs command to execute Sudo Heap-Based Buffer Overflow Attempt")`
			`common.execute([masquerade, "-s", "sudoedit", "*\\\\"], timeout=10, kill=True)`

			`# cleanup`
			`common.remove_file(masquerade)`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00

			`if __name__ == "__main__":`
react_sync_rta_updates_3575 (#3762 ) 2024-06-06 14:42:37 -04:00			`sys.exit(main())`