Easy, realtime, system-wide Shellshock monitoring

By on September 25, 2014
The world hasn’t had time to recover from the chaos generated from the Heartbleed OpenSSL bug, and we already have another massive vulnerability jeopardizing the whole internet. The CVE-2014-6271, also known as “Shellshock”, targets bash, the most popular unix shell in the world, with a malicious environment variable that allows arbitrary execution.

Detecting Shellshock Intrusions

Since the bug is still very fresh and the patches are still under validation, it’s critical to detect and log attack attempts to your systems. The typical way to do it is through network intrusion detection systems like snort, but this approach is less than ideal:
  • It works by looking at the network payloads containing the attack signature, which can generate false positives, because you can’t know if the payload actually generated a bash execution.
  • It only sees network attacks coming from well known protocols, while Shellshock can come from a number of vectors, several of which have probably not been discovered yet. This means that many successful attacks could be missed.
Fortunately, sysdig can help.

The Shellshock Chisel

Using sysdig to capture all the bash executions is trivial*, but in order to make things even easier, we spent a couple hours today putting together a new sysdig release that contains a new chisel called shellshock_detect. The chisel captures all the bash executions for which the environment variables match the Shellshock signature, and for each of them it prints
  • The time
  • The victim process’ name and pid (ie. the process that has been attacked with the malicious payload and that will execute bash)
  • The injected function (i.e. what bash is going to execute)

tl;dr: Taking Direct Action

Want to see what happens on your machines? Just update sysdig, and then run:
sysdig -c shellshock_detect
If somebody is attacking you, you will start seeing an output similar to this:
TIME                  PROCNAME              PID     FUNCTION
13:51:18.779785087    apache2               2746    () { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd
13:52:31.459230424    dhclient              2896    () { :;} ; echo busted
See here for the source code, if you’re curious about how the chisel works. We’re constantly working to come up with new and interesting uses for sysdig – if you have any ideas, we’d love to hear them. Comment below or tweet @sysdig. Stay safe out there.   *For example, try:
sysdig "proc.name contains bash and evt.type=execve and evt.dir = <"

Stay up to date!

Get new articles from this blog (weekly)
Or container ecosystem updates (monthly)

Thanks so much for signing up!
Please check your inbox for a confirmation email.

Whats going on inside your containers?
Sign up for a free Sysdig 14 day trial and find out!