OSX Shellshock Bash Patch

J

jmmitc06

Member
Joined
Aug 7, 2013
Messages
224
Reaction score
135
Location
Lexington, Ky.
So for those who may have heard, there is an exploit in bash (a shell provided with most *unix distros) that allows for remote code injection and execution. This is not a major concern on personal devices and is only a real problem if other security problems are present (your account has root privileges, you have a CGI script that can change environment variables etc. ) but based on the security questions that arise in all of the computer threads that come up in the lounge I thought I would post this. It's worth doing regardless since there isn't any real downside. Additionally although most OSX users probably aren't mucking around in terminal all day like us pasty white computer programmers, many programs and services use bash in the background.

Most of the *unix distros have already had this patch applied to the distros and you can fix it with a simple update (e.g yum update). But the mac users, myself included, as of now do not have a fix from apple. Luckily you can fix it yourself, and you don't need anything fancy. Here are the steps:

0a) if you don't have xcode installed, download it for free from the app store, you will need it to recompile bash.

0b) now open a terminal and check if you are vulnerable by running this command:

Code: 
env x='() { :;}; echo vulnerable' bash -c 'echo hello'

if the word 'vulnerable' prints to the terminal, you need to do the following steps in terminal...

1) download and compile the patch (the last step may take a while but it was fast on my machine):

Code: 
mkdir bash-fix
cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
cd ..
xcodebuild

2) backup the old bash just in case

Code: 
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old

3) verify the version of your new bash, you should get version 3.2.52(1)-release

Code: 
build/Release/bash --version
build/Release/sh --version

4) replace old bash with your new patched version

Code: 
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin

5) once you have the new copy moved over, mark the old one as non-executable

Code: 
sudo chmod a-x /bin/bash.old /bin/sh.old

6) enjoy your new shell until apple gets around to making their own update, which will basically be the one you just did.

Again, this isn't a major security concern but given the severity of what can be done with the exploit if there is even the smallest chink in your computer's security it's worth fixing. After the patch is applied run:

Code: 
env x='() { :;}; echo vulnerable' bash -c 'echo hello'

and you will see the following:

Code: 
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

showing that bash can no longer inject code through 'env'
 
Last edited:
Register to hide this ad
And, one other quick question-for those of us who may be doing multiple computers, is it possible to save the patch to a flash drive after compiling, and use that directly rather than having to download and compile on each system we're applying the patch?

It's averaging me about 30 minutes per computer to install Xcode, and another 5-15 minutes(depending on the computer) to compile it.
 
Probably between computers using the same CPU architecture it *should* work. At a minimum one for x86-64 and one for PowerPC, try the x86-64 executible on x86 32bit and it might work, else you will probably need one for 32bit. Also the 32bit one should work on x86-64.

Give me one second to try something, there is probably a better way using GCC.
 
Last edited:
Ben_hutcherson said:
And, one other quick question-for those of us who may be doing multiple computers, is it possible to save the patch to a flash drive after compiling, and use that directly rather than having to download and compile on each system we're applying the patch?

It's averaging me about 30 minutes per computer to install Xcode, and another 5-15 minutes(depending on the computer) to compile it.
Click to expand...

Yes you can - easier and faster than installing Xcode on every system.

You can even user the GUI if you like. Hit Shift-Command-G and then type in /bin and the bin folder will open and you will see both bash and bash.old (as well as sh and sh.old) in the first system - you can then copy that file either over your network or to a USB drive - and do the same Shift-Command-G /bin on each target machine - you can even rename the existing bash file to bash.old in the Finder and then copy your updated bash file into the target bin folder.
I suppose chmod on the bash.old would be a good idea - and might even want to repair permissions just in case - or archive the bash.old file somewhere - or compress it - to prevent it from being used if someone should happen to find it.

Edit - the test I just did was using Xcode on a Mac Mini Server 64bit Core i7 running 10.7.5 Server as the complier source and a MacBook Pro 64bit Core i7 running 10.9.5 - I haven't tried running that bash file on 32bit or other CPUs (yet).
 
Last edited:
No luck with GCC, but I think that that you'll be fine with the copying route. Just check at the end that your bash is working with:

Code: 
env x='() { :;}; echo vulnerable' bash -c 'echo hello'

or some other bash thing.

I thought I'd give GCC a try since I don't like xcode but the header hacking that would require will take more time than installing xcode. You might try the x86 binaries on PowerPC, there are bash scripts out there for detecting what OS/cpu/bit is running which makes me think that if you can't check the bash info to tell what OS it is, it might be agnostic to what system it is on.

Use the GUI, that's blasphemous! You have to pretend that all systems are headless all the time!
 
Last edited:
Thanks Ben, I should have added that on there when I read it last night.

Basically do the steps above, but additionally execute these commands:

The first one might not need the tar zxf or a different command to untar, but you can google that. Just an aside, writing a tar command from memory is hard since the flags you provide it (z,x,f...) are nonsense to me.

Code: 
wget http://sourceforge.net/projects/tenfourfox/files/tools/bash-4.3.26-10.4u.gz/download | tar zxf - 

exec tcsh
chmod +x bash-4.3.26-10.4u
sudo cp bash-4.3.26-10.4u /bin/bash
sudo cp bash-4.3.26-10.4u /bin/sh

And you will be good to go on both issues, I assume the new patch covers both issues so this one should be sufficient.

Yeah this is computer stuff, the thing is your computer isn't going to 'misbehave' without it, its not a stability problem it's a security issue. Unlike most security problems that people think exist in a system, which are usually someone downloaded and installed something they shouldn't, this is an actual security problem.

To get the stuff off the screen type "clear" and hit enter :)
 
Just intercepted a distress call from the mother ship. Seems it's been bashed by shells and they need to pull over and patch it with apple chips. Martha grab the layin' hen, I'll grab the pickled peaches and meet you in the root cellar.
 
Read this this morning:


"...Apple said that most of its OS X users were not at risk from the Shellshock bug because Apple’s default settings protect users from remote exploits, like the kind cybercriminals would need to use to infiltrate a personal desktop or laptop computer. The company noted, however, that if users had reconfigured their advanced Unix services (underlying code in OS X) they might face issues...."

Sounds to me like you Mac whizzes are in trouble, but regular numbskulls like me are okay. :)
 
Peak53 said:
No fair, you don't get to be a gun geek AND a computer geek!
Click to expand...

Hey, you can be both too but I'm more just a geek in general.

Yeah, Im running some services that would be vulnerable. I really don't like how they worded that, I know they did it to alleviate some worries but it's not an OS issue it's a program issue, heaven knows whats turned on out there is the OS X world with all the apps, configs and such. I wouldn't be surprised if a patch was in the works, its about time anyways bash on OS X is old (at least mine was before updating).
 
jmmitc06 said:
Hey, you can be both too but I'm more just a geek in general.

Yeah, Im running some services that would be vulnerable. I really don't like how they worded that, I know they did it to alleviate some worries but it's not an OS issue it's a program issue, heaven knows whats turned on out there is the OS X world with all the apps, configs and such. I wouldn't be surprised if a patch was in the works, its about time anyways bash on OS X is old (at least mine was before updating).
Click to expand...

I'm actually surprised that Apple doesn't have a patch out yet.

BTW, I did some "community service" and patched three other computers at school today. Two of them were running Snow Leopard(10.6) so likely won't receive an update when Apple does get around to it.

I also have all of my always-internet-connected computers patched, and have started working through the occasionally-connected ones(lower priority). I'm dreading digging into the MDD G4 that has four different versions of OS X installed(10.2 through 10.5), as the only thing I know to do is boot into each version and patch it separately.
 
I'm not sure how you have all those partitioned but I don't see any reason why you wouldn't be able to boot into one OS, do the patch and copy it to the other three without logging out in terminal. This assumes though that the file systems of the other three are mounted in the first OS and there won't be any permissions errors, then you should just be able to do "cp [/bin/bash] [/mountpoint/path/to/bin]". You could in linux so I assume you can here.

Yeah, that was basically all we did at work today was try to get a certain lab member's computer patched, you know of whom I refer.
 
Last edited:
Well evidently they are working on one, I don't really get why they don't have it out though. I mean the linux community had a patch basically as soon as they heard about it and there's works on OS X. My only thought is they are taking a little more time confirming EVERYTHING still works afterwards. The linux people probably didn't do that since there's no reason to think it would break something and if the patch they give you doesn't work for you, there answer would be "write one yourself then".
 
For those who don't want to mess around in Terminal, someone out on the Interwebz was nice enough to put together an installer package that will automatically back up your old Bash and install the new, patched version(that addresses both vulnerabilities) without you needing to open Terminal.

I just ran this both on my Powerbook G4 Titanium running 10.5(I'm typing this post from this computer) and my Macbook running 10.10, and can confirm that it works on both. With that said, use at your own risk.

Download at this link

The 'Bash Bug' and PPC - Page 2 - MacRumors Forums
 
You must log in or register to reply here.

Similar threads

N
Patch arrives for IE hole targeted by Chinese
Replies
7
Views
1K
Nicksterdemus
N

Latest posts

Back
Top