The highest form of ignorance is when you reject something you don't know anything about.

Wayne Dyer (b 1940)

Shellshock Vulnerability Test and Fix

Hello Gregorious

Sept 25, 2014:  A major vulnerability was discovered on Bash, affecting OS X 
That vulnerability, dubbed Shellshock or Bash Bug is a 10 out of 10 in the clusterf**k scale. it is really serious. 
You are urged to, at least, check if your system is affected, and secondly to patch that vulnerability as soon as you can.

Apple Update! 
Apple has (finally) released a Bash updates for Lion, Mountain Lion and Mavericks. 
All users are highly recommended to update to the latest Bash version 3.2.53(1) to patch the recently found Shellshock / BashBug Vulnerability.

As of Oct 1st, the update for 10.9 is not yet available through OS X  Software Update. The updates are available for download and install here:

OS X Lion  http://support.apple.com/kb/DL1767
OS X Mountain Lion  http://support.apple.com/kb/DL1768
OS X Mavericks   http://support.apple.com/kb/DL1769

As of Oct 1st, 7:00 AM EST, the following is depreciated, unless you are still on 10.6 (Snow Leopard) or below.



Update Sept 26: 
>>> DO NOT USE "Tools" or "Apps" downloaded from the Internet that pretends to fix that bug: Phising attempts / Worms have already been reported. 
Only trust genuine patches i.e Apple inc. 
See also bottom of the page for extra precautions.

Update Sept 27:

The vulnerability has been downgraded for OSX, A statement from Apple sent to CNET points out that: 
"The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," an emailed statement from Apple to CNET said.
"Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems," it continues. "With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users."  (source: CNET)

Other reliable sources have also tested the bug and found that dhcp was "safe" on OS X.


Nevertheless, other reliable sources are less certain and still recommend patching.
Until an official patch has been released, I would use caution. I will let you decide. 


How to check: 
Open Terminal
Type (or copy/paste) the following command line (Verbatim)

env x='() { :;}; echo vulnerable' bash -c 'echo hello'


If you system is vulnerable to Shellshock, you will see "vulnerable hello"



If your system is safe from Shellshock, you should see something as:

$ env X='() { (a)=>\' sh -c "echo date"; cat echo sh: X: line 1: syntax error near unexpected token `=' sh: X: line 1: `' sh: error importing function definition for `X

The fix:

In Terminal:  
>> Note: Do not type the $ sign, it's the indication that you have to enter that line in Terminal and execute. 
Note: You MUST have Xcode installed 
Note: You MUST have Xcode installed
Note: READ the above again 

$ mkdir bash-fix 
$ cd bash-fix 
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf - 
$ cd bash-92/bash-3.2 
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0 
$ cd .. 
$ xcodebuild 
$ sudo cp /bin/bash /bin/bash.old 
$ sudo cp /bin/sh /bin/sh.old 
$ build/Release/bash --version # GNU bash, version 3.2.52(1)-release 
$ build/Release/sh --version # GNU bash, version 3.2.52(1)-release 
$ sudo cp build/Release/bash /bin 
$ sudo cp build/Release/sh /bin
$ sudo -K


Then check the install and version:
$ bash --version

The answer should be:
GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin13) Copyright (C) 2007 Free Software Foundation, Inc.

 
Then Re-Test for the vulnerability: 
$ env x='() { :;}; echo vulnerable' bash -c 'echo hello' 


Vulnerability seems to be Gone!  :)  
You're a bit safer now!  Now wait for an official update

For security purpose, and after having tested that your Terminal and Bash are working properly,It is recommended that you chmod -x the old Bash versions to ensure they aren't re-used without your consent, or you could move the old bash to a backup/new  location. 

Type/copy 
$ sudo chmod a-x /bin/bash.old /bin/sh.old

If you have Homebrew, you should also update it. 
Do you have Homebrew? 
Well... 
In Terminal, type 
$ brew --version
If "command not found"  You don't have it. 
If you see a version, you have have, and thou shall update it .. 

What is Bash? 
Bash stands for Bourne Again Shell. 
It's an extremely powerful command operator that allows you to do pretty much anything.
If you are not familiar with Bash, or Unix like command lines operator, I would suggest that you review/learn the basic of it:  
Learning Unix for OS X: Going Deep With the Terminal and Shell
The Linux Command Line: A Complete Introduction
 
 Troubleshooting:  
- When something is b0rken, always double check the spelling, especially with Terminal and Bash. 
- With the command $ xcodebuild  you get a "Agreeing to the Xcode/iOS license requires admin privileges, please re-run as root via sudo." 
>> Enter "sudo xcodebuild" and then follow the instruction up till you see the "Agree, cancel, print" message 

Extra precaution:
It's only been 24hrs, and we already see worms and hackers attempting to use Shellshock. Nobody is really sure about the implications and breadth of this issue, as such I would highly recommend to:
1- Keep an eye opened for an official Apple patch
2- Just in case, install a free antivirus/malware for Mac such as Sophos Home Edition. Repeat: Free, don't fall for the premium. An Antivirus / Antimalware does not protect against Shellshock, but could prevent you from installing a "loaded" app 

  

10 comments:

  1. Damn haven't seen a post from you in a long time. Thanks for the update.

    ReplyDelete
  2. heya
    thanks very much for this very quick response to shellshock! I really aprreciate it and followed the instructions, what I found is that my bash is version 3.2.48 and not the one you mentioned. what I do about that? Do I have to change it. if so how?

    Thanks in advance M

    ReplyDelete
    Replies
    1. if you have tested with the line: env x='() { :;}; echo vulnerable' bash -c 'echo hello'
      AND you have received an answer that states "Vulnerable Hello"
      then follow what is indicated under "The Fix"

      Due to the severity of this vulnerability, I am kindly asking you to forward this page to anyone you know.
      Thanks

      Delete
  3. Hi,
    I am running Snow Leopard 10.6.8 on older Mac Mini. The test shows the computer is vulnerable.

    Xcode is not installed on my Mac Mini and I've tried searching the internet for Xcode but have been unable to find a version that will run on this machine.

    Any ideas? Thanks.

    ReplyDelete
    Replies
    1. Hello,
      Use the install DVD that was provided with your Mac mini, Xcode is in it. (tools)
      Otherwise, you can download XCode 3.2 from the Apple Developer page (may need to register (free)
      Due to the severity of this vulnerability, I am kindly asking you to forward this page to anyone you know, either by email, Facebook or twitter.
      Thanks

      Delete
  4. Hi, I tried this patch and it worked, but ever since my machine will take 20 minutes or more to boot. Do you have any idea why? Can I revert this? check something? I can't install any updates either, while restarting, it will enter some kind of empty desktop called "software update" instead of "finder" and remain there forever. Must force-shutdown and updates are never made. Thanks

    ReplyDelete
    Replies
    1. Hello,
      I am very surprised by what you are saying, you are the only one with such issue. Let's attempt to find a solution:
      1) what's your OS and machine?
      2) have you installed something else?
      3) have you tried to re-install the patch? just in case something went wrong?
      4) " it will enter some kind of empty desktop called "software update" instead of "finder" >> WUT?
      5) " Must force-shutdown and updates are never made " WUT #2?
      6) I can't install any updates either. >> Updates are made via App Store or Via Software Update. What updates are talking about?
      7) " Can I revert this? " >> easy way is Time Machine

      Delete
  5. Hi, Sorry to leave the issue open, but I had to act fast and erase my disk + restore from the last backup. I cannot say if the Patch was a catalyst for that or it was coincidential, the truth is, I had already some issues with the hard drive and perhaps this operation was too much for it. After experiencing what I described before, disk utility being unable to repair the disk, it was obvious that everything was messed up. Xcode is apparently not saved in the time machine data, because all of a sudden it's not installed, so I cannot apply the patch by now. I'll report if anything unusual happens after setting this up again. For more hints the machine is a 2011 Macbook pro running Lion...

    ReplyDelete
    Replies
    1. "I had already some issues with the hard drive and perhaps this operation was too much for it."
      >> That would -most likely- explain the 20 min boot

      >> Apple has released an official patch today where you do not need Xcode, see above in Apple Update.

      "I cannot say if the Patch was a catalyst for that"
      >> Again, I doubt it, I have no proof, but only the fact that you are the only one reporting an issue.

      I would in any case, keep an eye on your hard drive, and even check for bad sectors: I can smell a rat...
      Good luck

      Delete