Easy, realtime, system-wide Shellshock monitoring

By Loris Degioanni - SEPTEMBER 25, 2014


The world hasn’t had time to recover from the chaos generated from the Heartbleed OpenSSL bug, and we already have another massive vulnerability jeopardizing the whole internet. The CVE-2014-6271, also known as “Shellshock”, targets bash, the most popular unix shell in the world, with a malicious environment variable that allows arbitrary execution.

Detecting Shellshock Intrusions Since the bug is still very fresh and the patches are still under validation, it’s critical to detect and log attack attempts to your systems. The typical way to do it is through network intrusion detection systems like snort, but this approach is less than ideal:

  • It works by looking at the network payloads containing the attack signature, which can generate false positives, because you can’t know if the payload actually generated a bash execution.
  • It only sees network attacks coming from well known protocols, while Shellshock can come from a number of vectors, several of which have probably not been discovered yet. This means that many successful attacks could be missed. Fortunately,

sysdig can help.

The Shellshock Chisel Using sysdig to capture all the bash executions is trivial*, but in order to make things even easier, we spent a couple hours today putting together a new sysdig release that contains a new chisel called

shellshock_detect. The chisel captures all the bash executions for which the environment variables match the Shellshock signature, and for each of them it prints * The time * The victim process’ name and pid (ie. the process that has been attacked with the malicious payload and that will execute bash) * The injected function (i.e. what bash is going to execute)

tl;dr: Taking Direct Action Want to see what happens on your machines? Just

update sysdig, and then run: sysdig -c shellshock_detect If somebody is attacking you, you will start seeing an output similar to this:

TIME                  PROCNAME              PID     FUNCTION
13:51:18.779785087    apache2               2746    () { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd
13:52:31.459230424    dhclient              2896    () { :;} ; echo busted

See here for the source code, if you’re curious about how the chisel works. We’re constantly working to come up with new and interesting uses for sysdig – if you have any ideas, we’d love to hear them. Comment below or tweet @sysdig. Stay safe out there.   **For example, try:*

sysdig "proc.name contains bash and evt.type=execve and evt.dir = <"

Subscribe and get the latest updates