[Snort-sigs] SID 650 (work in progress)

Warchild warchild at ...288...
Fri Mar 15 11:05:05 EST 2002

Feel free to add your comments on this one.

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 setuid
0"; content: "|b017 cd80|"; reference:arachnids,436;
classtype:system-call-detect; sid:650; rev:4;) 


Shellcode to set the user identity to 0 (root) was detected.

If this code is executed successfully, it is possible for the current
process to inherity root privledges.  However, setuid(2) requires root
privledges to be executed in the first place if the current uid is
attempting to get a higher priviledge level.

Detailed Information:
Snort detected data resembling the x86 assembly code to change the
user identity to 0.  

Attack Scenarios:
As part of an attack on a remote service, an attacker may attempt to
take advantage of insecure coding practices and execute code of his or
her choosing through techniques known as 'buffer-overflows',
'format-strings' and others.  Such attacks may contain code to change
the identity of the current user to that of the root account (setuid

Ease of Attack:
Non-trivial.  Shellcode (and just x86 assembly code in general)
requires a fairly intimate knowledge of computer architecture, memory
structures, and many concepts that are part of the more arcane areas
of computing.  Furthermore, if this was in fact an attack, the
attacker needs to have a good idea of the design of the both the
program and the system that he or she is attacking. The x86 setuid
call itself is not particularly difficult, and by itself is not
harmful.  However, combined with other carefuly aimed shellcode, it
can be quite lethal.

False Positives:
Fairly high.  Large binary transfers, certain web traffic, and even
mail traffic can trigger this rule, but are not necessarily indicative
of actual setuid code.

False Negatives:
Unknown, but probably possible.

Corrective Action:
Determine what stream of traffic generated this particular alert.  If
you only have the alert but not the entire packet, examine system for
pecularities.  If you are smart and have the entire packet (or better
yet, all your traffic for the past n hours), attempt to determine if
this particular sequence of characters was part of an innocent stream
of data (large binary transfers, for example) or part of a malicious
act against your machine.  In either case, check for other activity
from the host in question -- both currently collected traffic and
traffic in the future.

Warchild <warchild at ...288...>

Additional References:

More information about the Snort-sigs mailing list