9/25/2014

Patching Bash "shellshock" on Apple Mac OS X 10.9.5

Given the recent bash vulnerability disclosure[1] most linux distributions have released patches. Unfortunately Apple still expected users to compile their patches into bash. If you were using Homebrew or Macport you were in better standing and simply had to create symlinks to the patched executables. I've documented the steps I had to take on my Mac desktop.

Compile
  1. mkdir bash
  2. cd bash/
  3. wget http://opensource.apple.com/tarballs/bash/bash-92.tar.gz
  4. tar zxvf bash-92.tar.gz
  5. cd bash-92
  6. cd bash-3.2/
  7. curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
  8. curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
  9. curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0
  10. cd ..
  11. xcodebuild
Verify
  1. /bin/bash --version
  2. ~/bash/bash-92/build/Release/bash --version
Install
  1. sudo mv /bin/bash /bin/bash.vulnerable sudo cp /bin/bash /bin/bash.vulnerable
  2. sudo mv /bin/sh /bin/sh.vulnerable sudo cp /bin/sh /bin/sh.vulnerable
  3. sudo chmod 0000 /bin/bash.vulnerable
  4. sudo chmod 0000 /bin/sh.vulnerable
  5. sudo cp ~/bash/bash-92/build/Release/bash /bin/
  6. sudo cp ~/bash/bash-92/build/Release/sh /bin/
  7. /bin/bash --version

References:
  1. https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability
  2. http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
  3. https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
  4. https://access.redhat.com/articles/1200223
  5. http://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html
  6. http://support.apple.com/kb/HT1222
  7. http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00085.html
  8. http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00228.html
  9. http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00282.html
Labels: , , , , , , , , ,

15 comments:

  1. glazouThursday, 25 September 2014 at 19:12:00 GMT+10

    I just tried your steps above on 10.9.5 and the resulting bash is still vulnerable...

    ReplyDelete
  2. kushThursday, 25 September 2014 at 20:07:00 GMT+10

    Hi glazou,

    Did you follow the install step and then close your terminal and restart it? All new shell should use the patched version.

    Sincerely
    Kush

    ReplyDelete
  3. glazouThursday, 25 September 2014 at 23:07:00 GMT+10

    yes, yes, and yes.

    ReplyDelete
  4. glazouThursday, 25 September 2014 at 23:40:00 GMT+10

    Just did it again. Same result. See http://glazman.org/tmp/busted.png

    ReplyDelete
    Replies
    1. kushThursday, 25 September 2014 at 23:52:00 GMT+10

      Can you try forking bash, by typing bash and then run your test pls? i.e.

      Delete
  5. kushThursday, 25 September 2014 at 23:41:00 GMT+10

    Hi glazou,

    Sorry, don't know why its not working for you. I've tested on 10.7.5 and 10.9.5 and both seemed to patch ok.

    How are you testing if the shell is vulnerable?

    Sincerely
    Kush

    ReplyDelete
  6. Sharon WenFriday, 26 September 2014 at 04:03:00 GMT+10

    thank you a lot

    ReplyDelete
  7. UnknownFriday, 26 September 2014 at 07:01:00 GMT+10

    CVE-2014-7169 : env X='() { (a)=>\' sh -c "echo date"; cat echo

    ReplyDelete
  8. johannFriday, 26 September 2014 at 07:23:00 GMT+10

    env X="() { :;} ; echo shellshock" `which bash` -c "echo completed"

    ReplyDelete
  9. UnknownFriday, 26 September 2014 at 14:11:00 GMT+10

    remove/replace sh with bash (ln -s the patched bash to /bin/sh)

    ReplyDelete
  10. glazouFriday, 26 September 2014 at 18:06:00 GMT+10

    Ok, I understood. The steps above are ok to fix __the original__ shellshock bug. But there is a second one (CVE-2014-7169), fix is pending.

    Original vulnerability, you should NOT see world vulnerable printed on console:

    env x='() { :;}; echo vulnerable' bash -c 'echo hello'

    Second vulnerability, you should NOT see a date printed on console :

    env X='() { (a)=>\' sh -c "echo date"; cat echo

    ReplyDelete
  11. Nichol BrummerSaturday, 27 September 2014 at 00:03:00 GMT+10

    1: course the vulnerability test can be done before the installing steps..
    2: the bash copied to /bin should get the right owner and permissions (chown and chmod)
    3: weird fact: a simple ls -l /bin/bash /bin/sh shows that the two executables differ in size, so they are not identical

    ReplyDelete
  12. AnonymousSaturday, 27 September 2014 at 01:09:00 GMT+10

    There is a bash32-053 patch pending. It is available on the oss-security list. Applying it after the bash32-052 patch and going through the directions above should close the latter CVE (unless they find another problem with it).

    http://www.openwall.com/lists/oss-security/2014/09/26/1

    Chet Ramey mentions pushing it out later today. I have not yet had the opportunity to test this.

    ReplyDelete
  13. UnknownMonday, 28 September 2015 at 18:41:00 GMT+10

    That's great blog,such a very innovative concept here.good job by blogger,Thank you so much for sharing this one, keep it up. - Apple Watch App Developers

    ReplyDelete

Subscribe to: Post Comments (Atom)