Since I switched to Mac in 2011, I do not keep that much track of vulnerabilities as I did running Windows as my main system. However, the recently announces Shellshock exploit got my attention. As Apple has no patch in place by today, I went for a manual path of the bash shell. Only precondition is Apple’s Xcode being installed on your system.
First, checking whether your system is vulnerable, you simply need the following bash script being run:
env x='() { :;}; echo not' bash -c 'echo safe'
In my case, unfortunately, I got a
not
safe
on my shell, running Mac OS X 10.9.4. Checking the version is simple done as following:
bash --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
In case you passed the check, you should run a second one, as since Thursday, there is a second attack vector knwon
env X='(){(a)=>\' bash -c "echo date"; cat echo; rm -f echo
The good news, not vulnerability from this vector.
date
cat: echo: No such file or directory
In case one would get the current date and time, there would be vulnerability, too.
As there is no patch from Apple right now, there is an possibility to build an update manually from the GNU repositories.
mkdir bash-fix
cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
cd ..
sudo xcodebuild
In case you are vulnerable to the second vector, there is a another path to be applied:
mv build/bash.build/Release/bash.build/DerivedSources/y.tab.* bash-3.2/
cd bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
cd ..
sudo xcodebuild
By running
bash-fix/bash-92/build/release/bash --version
bash-fix/bash-92/build/release/sh --version
you should be able to verify the version of the fix.
GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
Before replacing the old version, I backup the original bits.
sudo cp /bin/bash /bin/bash.3.2.51.bak
sudo cp /bin/sh /bin/sh.3.2.51.bak
Now you can replace the original ones by
sudo cp bash-fix/bash-92/build/Release/bash /bin
sudo cp bash-fix/bash-92/build/Release/sh /bin
Once this is done, you can check for the exploit again
env x='() { :;}; echo not' bash -c 'echo safe'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
safe
Once verified, you can get rid of the bash-fix folder and your system should be safe from this exploit.