Fix Shellshock Bash Vulnerability in OSX Bash

GNU Bash vulnerability, referred to as Shellshock or the Bash Bug, was found on Sep 24, 2014. The Shellshock vulnerability is very widespread and even more so than the OpenSSL Heartbleed bug So it is highly recommended that affected systems are properly updated to fix or mitigate the vulnerability as soon as possible.

What is Shellshock

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

To know more about Shellshock, read an amazing article from Troy Hunt

Check System Vulnerability

You can check the system for Shellshock vulnerability by running following command in bash

env Y='() { :;}; echo I am vulnerable!' bash -c "echo This is Bash"

If your version of Bash is vulnerable, then you will see following output

I am vulnerable
This is Bash

Instead of echo I am vulnerable! portion, attacker can run any command; arbitrary code following a function definition within an environment variable assignment. If your system don't have Shellshock vulnerability, then you will see following output

bash: warning: Y: ignoring function definition attempt
bash: error importing function definition for `Y'
This is Bash

How to fix in Mac OSX

If your bash is vulnerable, then you can install latest version of bash as follows, provided that you have XCode installed,

$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
$ cd ..
$ sudo xcodebuild
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ build/Release/bash --version # GNU bash, version 3.2.53(1)-release
$ build/Release/sh --version   # GNU bash, version 3.2.53(1)-release
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin

Once you installed, check your bash version(bash --version), it should be GNU bash, version 3.2.53(1)-release

For security reason, you have to remove the executable permission from older bash

$ sudo chmod a-x /bin/bash.old /bin/sh.old

That's it. Keep in mind that this fix is temporary. We have to wait for real fix until apple releases it.

If you using Linux distribution, please read Digital Ocean blog on Shellshock

Kudos

Vote on HN

comments powered byDisqus