Shellshock
Posted by Jim Jagielski on Friday, September 26. 2014 in Programming
UPDATED: Sept 29, 2014 with current OSX Bash patch
First of all, when this was first found, we were looking for a cool name... It was found.
Anyway, as noted here [https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/] the shellshock vulnerability is pretty nasty. What's interesting is that, in general, the *BSD variants aren't as vulnerable as *NIX platforms, simply because the default shell on BSD is still the Bourne shell (the "real" sh) and not Bash itself (On Linux and OSX, for example, /bin/sh is either a copy or link to /bin/bash).
Even so, BSD systems are not immune by any stretch of the imagination, since one attack vector is via web-servers and CGI, and it's likely that there are numerous CGI scripts that require/use Bash. So no matter what, patch your systems.
However, as of this writing, Apple has NOT provided any patch for OS X. I'm running 10.9.5 and patched my systems via the below:
$ mkdir bash-new $ cd bash-new $ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar xvf - ## If you get a Cert error, add the -k option to curl $ cd bash-92/bash-3.2 $ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0 $ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0 $ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0 $ cd .. $ xcodebuild $ sudo cp /bin/bash /bin/bash.old $ sudo cp /bin/sh /bin/sh.old $ build/Release/bash --version ##GNU bash, version 3.2.54(1)-release (x86_64-apple-darwin13) ##Copyright (C) 2007 Free Software Foundation, Inc. $ build/Release/sh --version ##GNU bash, version 3.2.54(1)-release (x86_64-apple-darwin13) ##Copyright (C) 2007 Free Software Foundation, Inc. $ sudo cp build/Release/bash /bin $ sudo cp build/Release/sh /bin
Syndicate This Blog
