9/25/2014

Patching Bash "shellshock" on Apple Mac OS X 10.9.5

Given the recent bash vulnerability disclosure[1] most linux distributions have released patches. Unfortunately Apple still expected users to compile their patches into bash. If you were using Homebrew or Macport you were in better standing and simply had to create symlinks to the patched executables. I've documented the steps I had to take on my Mac desktop.

Compile
  1. mkdir bash
  2. cd bash/
  3. wget http://opensource.apple.com/tarballs/bash/bash-92.tar.gz
  4. tar zxvf bash-92.tar.gz
  5. cd bash-92
  6. cd bash-3.2/
  7. curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
  8. curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
  9. curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0
  10. cd ..
  11. xcodebuild
Verify
  1. /bin/bash --version
  2. ~/bash/bash-92/build/Release/bash --version
Install
  1. sudo mv /bin/bash /bin/bash.vulnerable sudo cp /bin/bash /bin/bash.vulnerable
  2. sudo mv /bin/sh /bin/sh.vulnerable sudo cp /bin/sh /bin/sh.vulnerable
  3. sudo chmod 0000 /bin/bash.vulnerable
  4. sudo chmod 0000 /bin/sh.vulnerable
  5. sudo cp ~/bash/bash-92/build/Release/bash /bin/
  6. sudo cp ~/bash/bash-92/build/Release/sh /bin/
  7. /bin/bash --version

References:
  1. https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability
  2. http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
  3. https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
  4. https://access.redhat.com/articles/1200223
  5. http://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html
  6. http://support.apple.com/kb/HT1222
  7. http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00085.html
  8. http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00228.html
  9. http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00282.html

15 comments:

  1. I just tried your steps above on 10.9.5 and the resulting bash is still vulnerable...

    ReplyDelete
  2. Hi glazou,

    Did you follow the install step and then close your terminal and restart it? All new shell should use the patched version.

    Sincerely
    Kush

    ReplyDelete
  3. Just did it again. Same result. See http://glazman.org/tmp/busted.png

    ReplyDelete
    Replies
    1. Can you try forking bash, by typing bash and then run your test pls? i.e.

      Delete
  4. Hi glazou,

    Sorry, don't know why its not working for you. I've tested on 10.7.5 and 10.9.5 and both seemed to patch ok.

    How are you testing if the shell is vulnerable?

    Sincerely
    Kush

    ReplyDelete
  5. CVE-2014-7169 : env X='() { (a)=>\' sh -c "echo date"; cat echo

    ReplyDelete
  6. env X="() { :;} ; echo shellshock" `which bash` -c "echo completed"

    ReplyDelete
  7. remove/replace sh with bash (ln -s the patched bash to /bin/sh)

    ReplyDelete
  8. Ok, I understood. The steps above are ok to fix __the original__ shellshock bug. But there is a second one (CVE-2014-7169), fix is pending.

    Original vulnerability, you should NOT see world vulnerable printed on console:

    env x='() { :;}; echo vulnerable' bash -c 'echo hello'

    Second vulnerability, you should NOT see a date printed on console :

    env X='() { (a)=>\' sh -c "echo date"; cat echo

    ReplyDelete
  9. 1: course the vulnerability test can be done before the installing steps..
    2: the bash copied to /bin should get the right owner and permissions (chown and chmod)
    3: weird fact: a simple ls -l /bin/bash /bin/sh shows that the two executables differ in size, so they are not identical

    ReplyDelete
  10. There is a bash32-053 patch pending. It is available on the oss-security list. Applying it after the bash32-052 patch and going through the directions above should close the latter CVE (unless they find another problem with it).

    http://www.openwall.com/lists/oss-security/2014/09/26/1

    Chet Ramey mentions pushing it out later today. I have not yet had the opportunity to test this.

    ReplyDelete
  11. That's great blog,such a very innovative concept here.good job by blogger,Thank you so much for sharing this one, keep it up. - Apple Watch App Developers

    ReplyDelete