I was writing a snort rule for the specific exploit and then came across one solution that details as "uid=0(root)". Can someone explain what is that and why it is mentioned in order to capture the packet containing root content in it.
1 Answer
The first search result on a Google search for snort uid=0 finds a useful product documentation page with an excellent explanation https://www.snort.org/rule_docs/1-498
The string
"uid=0(root)"is an output of an"id"command indicating that the user has "root" privileges. Seeing such a response indicates that some user, connected over the network to a target server, has root privileges.
...
This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system.
In other words: Most remote exploits, that will grant an attacker access to a vulnerable system, won’t immediately grant full (root) access to a system. Once granted unprivileged access an attacker will still need to try to find a second vulnerability which they can abuse to escalate their limited access to full root privileges.
That string can be seen after they succeeded.
