Check and Fix the Shellshock Exploit on Mac OS X

Since I switched to Mac in 2011, I do not keep that much track of vulnerabilities as I did running Windows as my main system. However, the recently announces Shellshock exploit got my attention. As Apple has no patch in place by today, I went for a manual path of the bash shell. Only precondition is Apple’s Xcode being installed on your system.

First, checking whether your  system is vulnerable, you simply need the following bash script being run:

env x='() { :;}; echo not' bash -c 'echo safe'

In my case, unfortunately, I got a

not
safe

on my shell, running Mac OS X 10.9.4. Checking the version is simple done as following:

bash --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.

In case you passed the check, you should run a second one, as since Thursday, there is a second attack vector knwon

env X='(){(a)=>\' bash -c "echo date"; cat echo; rm -f echo

The good news, not vulnerability from this vector.

date
cat: echo: No such file or directory

In case one would get the current date and time, there would be vulnerability, too.

As there is no patch from Apple right now, there is an possibility to build an update manually from the GNU repositories.

mkdir bash-fix
cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
cd ..
sudo xcodebuild

In case you are vulnerable to the second vector, there is a another path to be applied:

mv build/bash.build/Release/bash.build/DerivedSources/y.tab.* bash-3.2/
cd bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
cd ..
sudo xcodebuild

By running

bash-fix/bash-92/build/release/bash --version 
bash-fix/bash-92/build/release/sh --version

you should be able to verify the version of the fix.

GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.

Before replacing the old version, I backup the original bits.

sudo cp /bin/bash /bin/bash.3.2.51.bak
sudo cp /bin/sh /bin/sh.3.2.51.bak

Now you can replace the original ones by

sudo cp bash-fix/bash-92/build/Release/bash /bin
sudo cp bash-fix/bash-92/build/Release/sh /bin

Once this is done, you can check for the exploit again

env x='() { :;}; echo not' bash -c 'echo safe'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
safe

Once verified, you can get rid of the bash-fix folder and your system should be safe from this exploit.

 

Leave a Reply