The Shellshock Bug & Workaround

NB: Apple has released the following patches:

This was tested on 10.9.5.

A new vulnerability has been discovered in the bash shell which is affectionately being called “shellshock”. It’s worth pointing out that this is quite serious and should be addressed.

There are some comments on blogs stating that “it’s not as bad as we think” so I will take a moment to explain what it could mean to you so you can make up your own mind.

The bash shell is built into almost every Mac OS X system (I say almost, as some clever person may have decided to remove it from their Mac). The deep, technical description taken from the following site is:

“Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes. Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.

For example, an environment variable setting of:

  VAR=() { ignored; }; /bin/id

will execute /bin/id when the environment is imported into the bash process. (The process is in a slightly undefined state at this point. The PATH variable may not have been set up yet, and bash could crash after executing /bin/id, but the damage has already happened at this point.)

The fact that an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation.”

Source: http://seclists.org/oss-sec/2014/q3/650

In a nutshell, this means that the shell has a small bit of code that it runs without question on certain older versions of bash. This code can be modified very easily so the attacker can add their own “bits” into it to give them access to your Mac and do as they wish.

From what I can gather it seems like this is only really a problem for computers that have some kind of external access enabled such as SSH or a web service. Some people have said “well that’s ok, I’m not running a web server”. The problem is, you probably are.

A lot of applications start up a small web service to perform their functions, not to mention the cups service running on port 631 that is accessible through a web browser by going to http://localhost:631.

I took a look at my Mac to do a quick port scan and see if I could “lock things down” but have decided that will be ultimately unachievable without a lot of work.

After a bit of digging, I decided that upgrading my bash shell was the simplest course of action so here are some instructions.

How to upgrade bash in OS X to version 4.3.25 to avoid the shellshock attack:

Its probably worth checking first that you are affected. Run the following command in the terminal and it will report back to say if you are vulnerable:

 env x='() { :;}; echo vulnerable' bash -c 'echo hello'

You can also check the actual version you are using:

 bash --version

You’ll get an output something like:

dave$ bash --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.

It affects versions 1.13 (22 years ago) up to 4.3. I’m running 3.2.51 which is affected.

To start the upgrade process, install brew from the command-line by entering the following command and pressing return:

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Quick note – I had XCode installed on my Mac but I hadn’t launched it since a recent update and so the above command was complaining that it couldn’t run properly. I just had to launch XCode, accept the Ts & Cs and then re-run the command.

Once complete, install the newest version of bash:

brew install bash

In my case it put it into /usr/local/Cellar/bash/4.3.25/bin/bash. The standard place for bash is /bin/bash.

Finally, you can either edit /etc/shells to remove /bin/bash and add the correct path to your new version or replace (after backing up) the default version of bash.

If you do opt to change the path in /etc/shells, make sure you also change the default shell in your user record.

The default shell can be changed from System Preferences or with dscl, but all three options just modify /var/db/dslocal/nodes/Default/users/user.plist

I just backed up the existing /bin/bash with:

mv /bin/bash ~/Desktop/

and dropped in the new version with:

dave$ bash --version
GNU bash, version 4.3.25(1)-release (x86_64-apple-darwin13.4.0)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

So I am running 4.3.25 which isn’t affected.

As a final check, I run the env check which should fail to run.


Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

30 Replies to "The Shellshock Bug & Workaround"

  • Clinton Dyches

    Had a problem, an Error:

    In order to use this build of bash as your login shell,
    it must be added to /etc/shells.
    Error: The `brew link` step did not complete successfully
    The formula built, but is not symlinked into /usr/local
    Could not symlink share/locale/de/LC_MESSAGES/bash.mo
    /usr/local/share/locale/de/LC_MESSAGES is not writable.

    What did I do wrong?

    Clinton

  • Is that an error installing brew or installing the new bash?

    I ran mine with an admin account (it didn’t need root for the “brew install bash” part)

  • Shafiq

    I followed your guidance but following problem occurred, any suggestions pls. My e-mail: shafiq@me.com

    Last login: Thu Sep 25 18:18:50 on console
    Shafiqs-MacBook-Air:~ mdshafiqulislam$ env x=’ () { :;}; echo vulnerable’ bash -c ‘echo hello’
    hello
    Shafiqs-MacBook-Air:~ mdshafiqulislam$ env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’
    vulnerable
    hello
    Shafiqs-MacBook-Air:~ mdshafiqulislam$ bash –version
    GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin14)
    Copyright (C) 2007 Free Software Foundation, Inc.
    Shafiqs-MacBook-Air:~ mdshafiqulislam$ ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”

    ==> This script will install:
    /usr/local/bin/brew
    /usr/local/Library/…
    /usr/local/share/man/man1/brew.1

    Press RETURN to continue or any other key to abort
    ==> /usr/bin/sudo /bin/mkdir /usr/local

    WARNING: Improper use of the sudo command could lead to data loss
    or the deletion of important system files. Please double-check your
    typing when using sudo. Type “man sudo” for more information.

    To proceed, enter your password, or type Ctrl-C to abort.

    Password:
    ==> /usr/bin/sudo /bin/chmod g+rwx /usr/local
    ==> /usr/bin/sudo /usr/bin/chgrp admin /usr/local
    ==> /usr/bin/sudo /bin/mkdir /Library/Caches/Homebrew
    ==> /usr/bin/sudo /bin/chmod g+rwx /Library/Caches/Homebrew
    ==> Downloading and installing Homebrew…
    remote: Counting objects: 199617, done.
    remote: Compressing objects: 100% (53993/53993), done.
    remote: Total 199617 (delta 144453), reused 199600 (delta 144442)
    Receiving objects: 100% (199617/199617), 41.47 MiB | 675.00 KiB/s, done.
    Resolving deltas: 100% (144453/144453), done.
    From https://github.com/Homebrew/homebrew
    * [new branch] master -> origin/master
    HEAD is now at 9c878d0 nginx: fix passenger caveat
    ==> Installation successful!
    ==> Next steps
    Run `brew doctor` before you install anything
    Run `brew help` to get started
    Shafiqs-MacBook-Air:~ mdshafiqulislam$ brew install bash
    ==> Installing bash dependency: readline
    ==> Downloading http://ftpmirror.gnu.org/readline/readline-6.3.tar.gz

    curl: (28) Resolving timed out after 5555 milliseconds
    Trying a mirror…
    ==> Downloading http://ftp.gnu.org/gnu/readline/readline-6.3.tar.gz
    ######################################################################## 100.0%
    ==> Downloading https://gist.githubusercontent.com/jacknagel/d886531fb6623b60b2a
    ######################################################################## 100.0%
    ==> Patching
    patching file display.c
    patching file input.c
    patching file misc.c
    patching file patchlevel
    patching file readline.c
    patching file rltypedefs.h
    patching file util.c
    ==> ./configure –prefix=/usr/local/Cellar/readline/6.3.8 –enable-multibyte
    ==> make install
    ==> Caveats
    This formula is keg-only, which means it was not symlinked into /usr/local.

    Mac OS X provides similar software, and installing this software in
    parallel can cause all kinds of trouble.

    OS X provides the BSD libedit library, which shadows libreadline.
    In order to prevent conflicts when programs look for libreadline we are
    defaulting this GNU Readline installation to keg-only.

    Generally there are no consequences of this for you. If you build your
    own software and it requires this formula, you’ll need to add to your
    build variables:

    LDFLAGS: -L/usr/local/opt/readline/lib
    CPPFLAGS: -I/usr/local/opt/readline/include

    ==> Summary

  • That basically means that there was already a copy of that particular item already in /usr/local so it didn’t add another symlink to it. Can you run the brew command after that?

  • Lars Clasen

    Hi,

    when I tried to move /bin/bash to ~/Desktop/ I got a message that the permission was denied:

    ==> Pouring bash-4.3.25.mavericks.bottle.tar.gz
    ==> Caveats
    In order to use this build of bash as your login shell,
    it must be added to /etc/shells.
    ==> Summary

  • David

    I already had homebrew installed. When I ran brew install bash I got version 4.3.18 which is still vulnerable.

  • Al Chesson

    Thanks for offering to help with your work!
    So I followed the instructions–I’m no Unix Geek–and ended up with a file ‘bash-4.3.25.mavericks.bottle.tar.gz’ in/Library/Caches/Homebrew which I expanded.

    The last thing I can see in Terminal is:
    ==> Pouring bash-4.3.25.mavericks.bottle.tar.gz
    ==> Caveats
    In order to use this build of bash as your login shell,
    it must be added to /etc/shells.
    ==> Summary
    /usr/local/Cellar/bash/4.3.25: 59 files, 7.4M

    So do I just copy the entire unzipped contents of the mavericks.bottle.tar.gz archive to /etc/shells and reboot or is it only certain files that need to go there or is anything else necessary?
    Your advice is much appreciated!

  • David Acland

    Hi Lars,

    To use mv you will probably need To add sudo in front of it.

    Al, /etc/shells is a file that stores the paths to available shells. You just need to add a line specifying where your newly downloaded binary is stored and remove the /bin/bash entry.

    Personally I went for moving the old /bin/bash and copying the newly downloaded binary file into its place. Saved messing around with the shells file.

  • Hi David,

    These instructions might be a bit drastic – updating bash from v.3 to v.4 can affect how bash works significantly. Another way is just to patch the native version of bash with the latest fix. The instructions here worked for me:

    http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851

    This will get you the latest patch of bash version 3.2, which is the version shipped with all current versions of OS X.

  • Hi Graham,

    If that works for you then that sounds good. I would really like to see an official OS X security patch, particularly for our customers, but this vulnerability was significant enough that in certain cases we needed to take action now.

    I wasn’t sure about the exact versions that are and aren’t affected as there seems to be a lot of conflicting info out there. The stack exchange link you posted says that 3.2.51 is still vulnerable while 4.3.25 does have the necessary patch which was my initial reason for going to v4.

    Anyway, glad to hear the lighter approach worked for you!

  • SunbeamRapier

    I get an error: curl: (35) Server aborted the SSL handshake

    i get the same error after running Xcode and accepting the T’S & C’s and letting it complete its install…

    Surely Apple will put out a fix for this?

  • r.s

    Hi, I can’t edit user.plist under /var/db/dslocal/nodes/Default/users/ because I can’t find it there and also nowhere on my Mac. I was using “Find any file” which normally finds every file! Hope you can help.

    If I can’t continue (and heaver to wait until the official patch), what are the required steps to undo/uninstall everything I did until after “brew install bash”, which worked fine.?

    Many thanks!

  • Markus

    /bin/sh is also bash. Should also be replaced, but I don’t dare touching it.

  • Penjikent

    Ran without any problem on Snow Leopard 10.6.8. Moved the 4.3.25 version to /bin/bash Many thanks!

  • r.s

    Please answer re 12. I’m in the middle of the modifications and therefore still have Time Machine turned off. I started when there were no comments here, but at the moment, after reading about the problems people got, I tend to remove what I’ve installed until now… but what and how?

  • r.s

    Thanks David, but I’m afraid this would get too time-consuming for me. Please would you tell me how too uninstall what I had installed by following your procedure until after “brew install bash”? Many thanks.

  • r.s

    Thanks. OK I used “brew rm bash” which worked,
    but after reading a bit on http://superuser.com/questions/203707/how-to-uninstall-homebrew-osx-package-manager and the comments and following the link to https://gist.github.com/mxcl/1173223 and the comments there I’m rally not sure what to do next to uninstall brew AND avoid any risks.

    I know I should have been reading ALL first before using your workaround but the link from http://macdailynews.com to your page didn’t make it clear that only “superusers” (or people with plenty of time to learn special terminal/scripting stuff) should go on. I really don’t have the time to learn all this at present.

    Now I feel like a “victim” and need clear instructions about what to do. As mentioned I have “Find any file” with which I can find any file or folder which might need removing.

    I really hope you can help before the weekend. Many thanks again!

  • r.s

    Hi, Since I couldn’t get an answer before the weekend and I had to backup,
    I decided to delete these two folders:
    – /usr/local
    – Library/Homebrew
    As far as I could see they contained only Homebrew files.
    Please confirm that this is enough.
    Many thanks!

  • I’ve tested the Mavericks version on my MacBook and a number of other machines I had available and it worked fine. The Apple patch are replacements for the bash and sh shells found in /bin.

Leave a Reply

Your email address will not be published. Required fields are marked *