Small blog about system administration.

Remotely Exploitable 'Bash Shell' Vulnerability Affects Apple Mac OS X (exploit CVE-2014-6271 and CVE-2014-7169)

Given the fact that Bash 3.2 (the version shipped by OSX) is vulnerable to the remote execution exploit CVE-2014-6271 and CVE-2014-7169.

You can determine if you are vulnerable to the original problem in CVE-2014-6271 by executing this test:
$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
The above output is an example of a non-vulnerable bash version. If you see the word vulnerable in the output of that command your bash is vulnerable and you should update. 
An official patch has not yet been released but a work-in-progress patch is visible on the mailing list. Note that I (@alblue) have tested this patch and the version of Bash still appears vulnerable.
You can obtain and recompile Bash as follows, providing that you have Xcode installed:
$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0    
$ cd ..
$ xcodebuild
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ build/Release/bash --version # GNU bash, version 3.2.52(1)-release
$ build/Release/sh --version   # GNU bash, version 3.2.52(1)-release
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin
After this, the Bash version should be v3.2.52:
$ bash --version
GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
For security, and after testing, I recommend that you chmod -x the old versions to ensure they aren't re-used, or move them to a backup site.
$ sudo chmod a-x /bin/bash.old /bin/sh.old

No comments :

Post a Comment