Skip to content

Commit

Permalink
add segfault detection (#840)
Browse files Browse the repository at this point in the history 
* add segfault detection through kern.log, syslog or journalctl -k

---------

Co-authored-by: GitHub Action <[email protected]>
  • Loading branch information
@sabban @actions-user
sabban and actions-user authored Oct 5, 2023
1 parent 70d0ca1 commit 7386a8f
Show file tree
Hide file tree
Showing 13 changed files with 299 additions and 5 deletions.
63 changes: 58 additions & 5 deletions .index.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1245,23 +1245,29 @@
},
"crowdsecurity/linux-lpe": {
"path": "collections/crowdsecurity/linux-lpe.yaml",
"version": "0.1",
"version": "0.2",
"versions": {
"0.1": {
"digest": "a68ef0b517c988b50b3cdc0d84702b2f70e621d29378b9782b2e037bf6663458",
"deprecated": false
},
"0.2": {
"digest": "fd4a1d641522646b438dcf6572eddee3196c21bbc4dc75907515fd25e4f27578",
"deprecated": false
}
},
"long_description": "IyMgTG9jYWwgUHJpdmlsZWdlIEVzY2FsYXRpb24gRGV0ZWN0aW9uCgpUaGlzIGNvbGxlY3Rpb24gYWltcyBhdCBkZXRlY3RpbmcgKHdoZW4gcG9zc2libGUpIGxvY2FsIHByaXZpbGVnZSBlc2NhbGF0aW9uIGF0dGFja3MuCgogLSBDVkUtMjAyMS00MDM0IDogRGV0ZWN0IGV4cGxvaXRhdGlvbiBvZiBwa2V4ZWMgdnVsbmVyYWJpbGl0eQoKOndhcm5pbmc6IFBsZWFzZSBub3RlIHRob3NlIHNjZW5hcmlvcyBhcmUgZGV0ZWN0aW9uIG9ubHksIGFuZCBhcmUgdmVyeSBsaWtlbHkgdG8gYmUgYnlwYXNzZWQgYnkgc21hcnQgYXR0YWNrZXJzLCBkbyBub3QgcmVseSBzb2xlbHkgb24gdGhlbSA6d2FybmluZzoKCiMjIEFjcXVpc2l0aW9uIHRlbXBsYXRlCgpFeGFtcGxlIGFjcXVpc2l0aW9uIGZvciB0aGlzIGNvbGxlY3Rpb24gOgoKYGBgeWFtbApmaWxlbmFtZXM6CiAgLSAvdmFyL2xvZy9hdXRoLmxvZwpsYWJlbHM6CiAgdHlwZTogc3lzbG9nCmBgYAoKbm90ZXMgOgogLSAgRGVwZW5kaW5nIG9uIHlvdXIgZGlzdHJpYnV0aW9uL09TLCBwYXRocyB0byBsb2cgZmlsZXMgbWlnaHQgY2hhbmdlCiAtICBPbmx5IHJlbGV2YW50IGlmIHlvdSBhcmUgbWFudWFsbHkgaW5zdGFsbGluZyBjb2xsZWN0aW9uCgo=",
"content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvcGtleGVjLWxvZ3MKc2NlbmFyaW9zOgogIC0gY3Jvd2RzZWN1cml0eS9DVkUtMjAyMS00MDM0CmNvbGxlY3Rpb25zOgogIC0gY3Jvd2RzZWN1cml0eS9saW51eApkZXNjcmlwdGlvbjogIkxpbnV4IExvY2FsIFByaXZpbGVnZSBFc2NhbGF0aW9uIGNvbGxlY3Rpb24gOiBkZXRlY3QgdHJpdmlhbCBMUEVzIgphdXRob3I6IGNyb3dkc2VjdXJpdHkKdGFnczoKICAtIGxpbnV4CiAgLSBwcml2c2VjCiAgLSBscGUKCgo=",
"long_description": "IyMgTG9jYWwgUHJpdmlsZWdlIEVzY2FsYXRpb24gRGV0ZWN0aW9uCgpUaGlzIGNvbGxlY3Rpb24gYWltcyBhdCBkZXRlY3RpbmcgKHdoZW4gcG9zc2libGUpIGxvY2FsIHByaXZpbGVnZSBlc2NhbGF0aW9uIGF0dGFja3MuCgogLSBDVkUtMjAyMS00MDM0IDogRGV0ZWN0IGV4cGxvaXRhdGlvbiBvZiBwa2V4ZWMgdnVsbmVyYWJpbGl0eQoKOndhcm5pbmc6IFBsZWFzZSBub3RlIHRob3NlIHNjZW5hcmlvcyBhcmUgZGV0ZWN0aW9uIG9ubHksIGFuZCBhcmUgdmVyeSBsaWtlbHkgdG8gYmUgYnlwYXNzZWQgYnkgc21hcnQgYXR0YWNrZXJzLCBkbyBub3QgcmVseSBzb2xlbHkgb24gdGhlbSA6d2FybmluZzoKCiMjIEFjcXVpc2l0aW9uIHRlbXBsYXRlCgpFeGFtcGxlIGFjcXVpc2l0aW9uIGZvciB0aGlzIGNvbGxlY3Rpb24gOgoKYGBgeWFtbApmaWxlbmFtZXM6CiAgLSAvdmFyL2xvZy9hdXRoLmxvZwogIC0gL3Zhci9sb2cva2Vybi5sb2cKbGFiZWxzOgogIHR5cGU6IHN5c2xvZwpgYGAKCklmIHlvdSB3YW50IHRvIGdldCBrZXJuZWwgbG9nIHRocm91Z2ggam91cm5hbGN0bApgYGAKc291cmNlOiBqb3VybmFsY3RsCmpvdXJuYWxjdGxfZmlsdGVyOgogIC0gIi1rIgpsYWJlbHM6CiAgdHlwZTogc3lzbG9nCmBgYAoKbm90ZXMgOgogLSAgRGVwZW5kaW5nIG9uIHlvdXIgZGlzdHJpYnV0aW9uL09TLCBwYXRocyB0byBsb2cgZmlsZXMgbWlnaHQgY2hhbmdlCiAtICBPbmx5IHJlbGV2YW50IGlmIHlvdSBhcmUgbWFudWFsbHkgaW5zdGFsbGluZyBjb2xsZWN0aW9uCiAtICBDVkUtMjAyMy00OTExIG5lZWRzIGtlcm5lbCBsb2cgZGV0ZWN0aW9uLCBlaXRoZXIga2Vybi5sb2cgb3IgdGhyb3VnaCBqb3VybmFsY3RsIGZpbHRlcmluZwoK",
"content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvcGtleGVjLWxvZ3MKICAtIGNyb3dkc2VjdXJpdHkvc2VnZmF1bHQtbG9ncwpzY2VuYXJpb3M6CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIxLTQwMzQKICAtIGNyb3dkc2VjdXJpdHkvQ1ZFLTIwMjMtNDkxMQpjb2xsZWN0aW9uczoKICAtIGNyb3dkc2VjdXJpdHkvbGludXgKZGVzY3JpcHRpb246ICJMaW51eCBMb2NhbCBQcml2aWxlZ2UgRXNjYWxhdGlvbiBjb2xsZWN0aW9uIDogZGV0ZWN0IHRyaXZpYWwgTFBFcyIKYXV0aG9yOiBjcm93ZHNlY3VyaXR5CnRhZ3M6CiAgLSBsaW51eAogIC0gcHJpdnNlYwogIC0gbHBlCgoK",
"description": "Linux Local Privilege Escalation collection : detect trivial LPEs",
"author": "crowdsecurity",
"labels": null,
"parsers": [
"crowdsecurity/pkexec-logs"
"crowdsecurity/pkexec-logs",
"crowdsecurity/segfault-logs"
],
"scenarios": [
"crowdsecurity/CVE-2021-4034"
"crowdsecurity/CVE-2021-4034",
"crowdsecurity/CVE-2023-4911"
],
"collections": [
"crowdsecurity/linux"
Expand Down Expand Up @@ -4293,6 +4299,29 @@
"author": "crowdsecurity",
"labels": null
},
"crowdsecurity/segfault-logs": {
"path": "parsers/s01-parse/crowdsecurity/segfault-logs.yaml",
"stage": "s01-parse",
"version": "0.3",
"versions": {
"0.1": {
"digest": "9079d38e296e0b574a5cb2fe1fee614c08114912daefa569b2dc0648d8d8e8b8",
"deprecated": false
},
"0.2": {
"digest": "4473cedee88009d1a660c9695e9a128f3c2692020ea3cb1dd74b85422074ae31",
"deprecated": false
},
"0.3": {
"digest": "4ac2695dcfbbd1bfa1402b95a642b2868ab61900714e7a17c2fb5f0235a3777b",
"deprecated": false
}
},
"content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCiNkZWJ1ZzogdHJ1ZQpmaWx0ZXI6ICJldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2tlcm5lbCcgYW5kIGV2dC5QYXJzZWQubWVzc2FnZSBjb250YWlucyAnc2VnZmF1bHQnIgpuYW1lOiBjcm93ZHNlY3VyaXR5L3NlZ2ZhdWx0LWxvZ3MKbm9kZXM6Ci0gZ3JvazoKICAgIHBhdHRlcm46ICcoXFsle0RBVEF9XF0gKT8le0RBVEE6YmluYXJ5fVxbJXtJTlQ6cGlkfVxdOiBzZWdmYXVsdCBhdCAle0RBVEE6YWRkcn0gaXAgJXtEQVRBOnJpcH0gc3AgJXtEQVRBOnNwfSBlcnJvciAle0lOVDplcnJfbnVtfSBpbiAle0RBVEE6bGlicmFyeX1cWyV7REFUQTpsaWJyYXJ5X29mZnNldH1cXSAle0RBVEF9JwogICAgYXBwbHlfb246IG1lc3NhZ2UKZGVzY3JpcHRpb246ICJQYXJzZXMgc2VnZmF1bHQga2VybmVsIHNpZGUiCnN0YXRpY3M6CiAgLSBtZXRhOiBsb2dfdHlwZQogICAgdmFsdWU6IGtlcm5lbAogIC0gbWV0YTogc3ViX2xvZ190eXBlCiAgICB2YWx1ZTogc2VnZmF1bHQKICAtIG1ldGE6IGxpYnJhcnkKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQubGlicmFyeQogIC0gbWV0YTogZXJybnVtCiAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLmVycm51bQogIC0gbWV0YTogYmluYXJ5CiAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLmJpbmFyeQo=",
"description": "Parses segfault kernel side",
"author": "crowdsecurity",
"labels": null
},
"crowdsecurity/smb-logs": {
"path": "parsers/s01-parse/crowdsecurity/smb-logs.yaml",
"stage": "s01-parse",
Expand Down Expand Up @@ -6085,6 +6114,30 @@
"os": "windows"
}
},
"crowdsecurity/CVE-2023-4911": {
"path": "scenarios/crowdsecurity/CVE-2023-4911.yaml",
"version": "0.3",
"versions": {
"0.1": {
"digest": "c9be24878aab5602152e6873ee337e62eb3edb0e2ce9b3d2c873ee7112660379",
"deprecated": false
},
"0.2": {
"digest": "c4d8818f2c6def4949741a5c1a498e3efbdbc876ca3f2cb78a0f090900aa1f3d",
"deprecated": false
},
"0.3": {
"digest": "74290f39f9dbf7c18f1189e533d87c40c4cd86d1bcd21ca81c02aa1de664ba9f",
"deprecated": false
}
},
"content": "dHlwZTogdHJpZ2dlcgpuYW1lOiBjcm93ZHNlY3VyaXR5L0NWRS0yMDIzLTQ5MTEKZGVzY3JpcHRpb246ICJleHBsb2l0YXRpb24gb2YgQ1ZFLTIwMjMtNDkxMTogc2VnZmF1bHRpbmcgaW4gZHluYW1pYyBsb2FkZXIiCmZpbHRlcjogImV2dC5NZXRhLmxvZ190eXBlID09ICdrZXJuZWwnICYmIGV2dC5NZXRhLnN1Yl9sb2dfdHlwZSA9PSAnc2VnZmF1bHQnICYmIGV2dC5NZXRhLmxpYnJhcnkgc3RhcnRzV2l0aCAnbGQtbGludXgtJyIKYmxhY2tob2xlOiAxbQpsYWJlbHM6CiAgIyBjb25maWRlbmNlOiAxCiAgIyBzcG9vZmFibGU6IDAKICAjIGNsYXNzaWZpY2F0aW9uOgogICMgICAtIGF0dGFjay5UMTU0OC4wMDQKICAjIGJlaGF2aW9yOiAibGludXg6ZXhwbG9pdGF0aW9uIgogICMgbGFiZWw6ICJTdXNwaWNpb3VzIHN1aWQgcHJvY2VzcyBjcmFzaCIKICAjIHNlcnZpY2U6IGxpbnV4CiAgcmVtZWRpYXRpb246IGZhbHNlCnNjb3BlOgogIHR5cGU6IGV4ZQogIGV4cHJlc3Npb246IGV2dC5NZXRhLmJpbmFyeQo=",
"description": "exploitation of CVE-2023-4911: segfaulting in dynamic loader",
"author": "crowdsecurity",
"labels": {
"remediation": "false"
}
},
"crowdsecurity/apache_log4j2_cve-2021-44228": {
"path": "scenarios/crowdsecurity/apache_log4j2_cve-2021-44228.yaml",
"version": "0.4",
Expand Down
4 changes: 4 additions & 0 deletions .tests/CVE-2023-4911/CVE-2023-4911.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
2023-10-05T11:47:20.799042+02:00 leto kernel: [869507.505196] su[1433535]: segfault at 7f1f9b891000 ip 00007f1f9b870d7d sp 00007ffd5dab97f0 error 6 in ld-linux-x86-64.so.2[7f1f9b85e000+25000] likely on CPU 2 (core 2, socket 0)
2023-10-05T11:47:20.799052+02:00 leto kernel: [869507.505206] Code: c0 0f 85 24 01 00 00 4c 89 f0 b9 01 00 00 00 45 84 c9 0f 84 40 01 00 00 48 8b 44 24 18 4c 89 e6 48 29 c6 48 89 c1 48 83 c0 01 <45> 88 4c 06 ff 44 0f b6 0c 06 45 84 c9 75 ea 48 8d 71 02 4c 01 f0
2023-10-05T11:47:58.015019+02:00 leto kernel: [869544.717859] usb 5-2.3.3: current rate 16000 is different from the runtime rate 32000
2023-10-05T11:49:27.299005+02:00 leto kernel: [869634.002922] su[1436247]: segfault at 7f69e5a10000 ip 00007f69e59efd7d sp 00007ffff8da8b50 error 6 in ld-linux-x86-64.so.2[7f69e59dd000+25000] likely on CPU 3 (core 3, socket 0)
13 changes: 13 additions & 0 deletions .tests/CVE-2023-4911/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
parsers:
- crowdsecurity/syslog-logs
- crowdsecurity/dateparse-enrich
- ./parsers/s01-parse/crowdsecurity/segfault-logs.yaml
scenarios:
- ./scenarios/crowdsecurity/CVE-2023-4911.yaml
postoverflows:
- ""
log_file: CVE-2023-4911.log
log_type: syslog
labels: {}
ignore_parsers: true
override_statics: []
Empty file added .tests/CVE-2023-4911/parser.assert
View file
Empty file.
33 changes: 33 additions & 0 deletions .tests/CVE-2023-4911/scenario.assert
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
len(results) == 2
"su" in results[0].Overflow.GetSources()
results[0].Overflow.Sources["su"].IP == ""
results[0].Overflow.Sources["su"].Range == ""
results[0].Overflow.Sources["su"].GetScope() == "exe"
results[0].Overflow.Sources["su"].GetValue() == "su"
results[0].Overflow.Alert.Events[0].GetMeta("binary") == "su"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "CVE-2023-4911.log"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[0].GetMeta("library") == "ld-linux-x86-64.so.2"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "kernel"
results[0].Overflow.Alert.Events[0].GetMeta("machine") == "leto"
results[0].Overflow.Alert.Events[0].GetMeta("sub_log_type") == "segfault"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-10-05T11:47:20.799042+02:00"
results[0].Overflow.Alert.GetScenario() == "crowdsecurity/CVE-2023-4911"
results[0].Overflow.Alert.Remediation == false
results[0].Overflow.Alert.GetEventsCount() == 1
"su" in results[1].Overflow.GetSources()
results[1].Overflow.Sources["su"].IP == ""
results[1].Overflow.Sources["su"].Range == ""
results[1].Overflow.Sources["su"].GetScope() == "exe"
results[1].Overflow.Sources["su"].GetValue() == "su"
results[1].Overflow.Alert.Events[0].GetMeta("binary") == "su"
results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "CVE-2023-4911.log"
results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[1].Overflow.Alert.Events[0].GetMeta("library") == "ld-linux-x86-64.so.2"
results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "kernel"
results[1].Overflow.Alert.Events[0].GetMeta("machine") == "leto"
results[1].Overflow.Alert.Events[0].GetMeta("sub_log_type") == "segfault"
results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-10-05T11:49:27.299005+02:00"
results[1].Overflow.Alert.GetScenario() == "crowdsecurity/CVE-2023-4911"
results[1].Overflow.Alert.Remediation == false
results[1].Overflow.Alert.GetEventsCount() == 1
13 changes: 13 additions & 0 deletions .tests/segfault-logs/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
parsers:
- crowdsecurity/syslog-logs
- crowdsecurity/dateparse-enrich
- ./parsers/s01-parse/crowdsecurity/segfault-logs.yaml
scenarios:
- ""
postoverflows:
- ""
log_file: segfault-logs.log
log_type: syslog
labels: {}
ignore_parsers: false
override_statics: []
Loading

0 comments on commit 7386a8f

Please sign in to comment.