Skip to main content
Splunk Lantern

Heap-based buffer overflow on *nix

Your organization has unpatched Linux servers. You know those servers are vulnerable to a number of attacks, including the heap-based buffer overflow in sudo, called Baron Samedit. You want to be able to search for indications that this attack has hit your servers.

Data required 

*nix logs

Procedures

Option 1

Run the following search. You can optimize it by specifying an index and adjusting the time range.

"sudoedit -s \\"
| stats values(sourcetype) values(source) values(host)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
"sudoedit -s \\" Look for this string in your *nix logs.
| stats values(sourcetype) values(source) values(host)

List values that show the source of the string. 

Next steps

You might also be interested in other processes associated with the Detecting the Sudo Baron Samedit attack use case.

Option 2

  1. Install the Add-on for OSquery
  2. Add the following line to the OSquery TA props.conf:
    FIELDALIAS-process = columns.cmdline as process
  3. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="osquery:results"
eventtype="osquery-process"
| search process="sudoedit -s \\*"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype="osquery:results" Search only osquery:results logs.
eventtype="osquery-process" Search only for osquery-process events.
| search process="sudoedit -s \\*" Look for events where the process is set to sudoedit -s \\, which is an indicator that the vulnerability has been exploited.

Next steps

If the above search produces results, the exploit has been run on the machine(s) that are listed in the result. If any are found, the next step is to respond to the incident. A suitable response is to isolate the machine and look for signs of lateral movement, data exfiltration, or credential dumping. The attacker would have elevated privileges to root or the super user and could do almost anything from that point on. 

If no results are found, either the exploit has not been used or coverage is incomplete. The Splunk Samedit TA will search your *nix machines for un-patched versions and can output an inventory of machines that have the vulnerability. That information can be used to further investigate malicious activity and to provide a list of machines that need to be patched. 

You might also be interested in other processes associated with the Detecting the Sudo Baron Samedit attack use case.