Skip to main content
Splunk Lantern

Heap-based buffer overflow on *nix

You might need to actively scan your Linux hosts for indicators of a successfully run heap-based buffer overflow (Baron Samedit attack) when doing the following: 

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Your organization has unpatched Linux servers. You know those servers are vulnerable to a number of attacks, including the heap-based buffer overflow in sudo, called Baron Samedit. You want to be able to search for indications that this attack has hit your servers.

To optimize the searches shown below, you should specify an index and a time range.

Option 1

  1. Run the following search:
    "sudoedit -s \\"
    | stats values(sourcetype) values(source) values(host)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
"sudoedit -s \\" Look for this string in your *nix logs.
| stats values(sourcetype) values(source) values(host)

List values that show the source of the string. 

Option 2

  1. Install the Add-on for OSquery. 
  2. Add the following line to the OSquery TA props.conf:
    FIELDALIAS-process = columns.cmdline as process
  3. Run the following search:
    sourcetype="osquery:results"
    eventtype="osquery-process"
    | search process="sudoedit -s \\*"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype="osquery:results" Search only osquery:results logs.
eventtype="osquery-process" Search only for osquery-process events.
| search process="sudoedit -s \\*" Look for events where the process is set to sudoedit -s \\, which is an indicator that the vulnerability has been exploited.

Result

If the above search produces results, the exploit has been run on the machine(s) that are listed in the result. If any are found, the next step is to respond to the incident. A suitable response is to isolate the machine and look for signs of lateral movement, data exfiltration, or credential dumping. The attacker would have elevated privileges to root or the super user and could do almost anything from that point on. 

If no results are found, either the exploit has not been used or coverage is incomplete. The Splunk Samedit TA will search your *nix machines for un-patched versions and can output an inventory of machines that have the vulnerability. That information can be used to further investigate malicious activity and to provide a list of machines that need to be patched. 

  • Was this article helpful?