Bash – How to Test Bash for Shellshock Vulnerabilities on OS X

Bash – How to Test Bash for Shellshock Vulnerabilities on OS X

os x yosemite, gatekeeper, bash logos

Overview


Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on September 24th, 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

Apple, although notified of the vulnerability before it was made public, the company did not release a corresponding OS X update until September 29th 2014, at which time the OS X bash Update 1.0 was released. Updates are available for OS X Lion (version 10.7), OS X Mountain Lion (version 10.8) and OS X Mavericks (version 10.9) and newer OS X operating systems include an updated Bash that isn’t vulnerable to these exploit.

What exposes your Mac to Shellshock?
Here are multiple routes exposing this vulnerability to a remote attack on a OS X system:

Enabling Remote Login
If you enable a service that allows attacker to remotely run bash commands. This could be something like enabling remote login and the attacker comprimised an account with permissions to use Secure Shell, or SSH.

OS X 10.9 - System Prefs - Sharing - Remote Login

Launch Application w/Exploit
If someone were to write an application that contained this exploit, a user downloads this application, and bypassed Gatekeeper (it would have to need to ba an unsigned, unsandboxed app) and run this applications. There OS X system could get exploited by this vulnerability.

Machine Local Access
If a person has local access to your computer and can run bash commands, they can exploit your OS X computer to this vulnerability.

How to Tell If You’re Protected
After applying the security updates, here’s how to check that Bash has been updated:

Open Terminal, and execute this command:

bash --version

The Bash version after applying this security update will be:

  • OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)
  • OS X Mountain Lion: GNE bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
  • OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)

This page outlines Bash vulnerability tests you can run on your OS X computers.

Vulnerability Tests


CVE-2014-6271
Apple’s OS X Bash Update 1.0 explicitly says that it addresses CVE-2014-6271.

VULNERABLE:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

NOT VULNERABLE:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

CVE-2014-7169
Apple’s OS X Bash Update 1.0 explicitly says that it addresses CVE-2014-7169.

VULNERABLE:

$ env X='() { (a)=>\' sh -c "echo date"; cat echo; rm ./echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X

NOT VULNERABLE:

$ env X='() { (a)=>\' sh -c "echo date"; cat echo; rm ./echo
bash: c$: command not found
cat: echo: No such file or directory
rm: ./echo: No such file or directory

CVE-2014-6277 and CVE-2014-627

VULNERABLE:

$ foo='() { echo not patched; }' bash -c foo
not patched

NOT VULNERABLE:

$ foo='() { echo not patched; }' bash -c foo 
bash: foo: command not found

CVE-2014-7186

VULNERABLE:

$ bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c 'echo \$f \$g; f; env | grep ^f='"
bash: g: line 1: syntax error: unexpected end of file
bash: error importing function definition for `g'
1
2
f=1
f=() {  echo 2

NOT VULNERABLE:

$ bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c 'echo \$f \$g; f; env | grep ^f='"
1 () {
2
f=1

CVE-2014-7187
Test doesn’t doesn’t output anything on “vulnerable” or “not vulnerable” bash versions.

VULNERABLE:

$ (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

NOT VULNERABLE:

$ (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

Game Over

VULNERABLE:

$ env ls="() { echo 'Game over'; }" bash -c ls
Game over

NOT VULNERABLE:

$ env ls="() { echo 'Game over'; }" bash -c ls
Applications	Users	 dev	 net	 usr
Library	 Volumes	 etc	 private	 var
Network	 bin	 home	 sbin
System	 cores	 mach_kernel	tmp 

Other Information


OS X bash Update 1.0 Bash
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands

Description: An issue existed in Bash’s parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement.

This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state.

In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix “__BASH_FUNC()” to prevent unintended function passing via HTTP headers.

CVE-ID

System Requirements: OS X Lion v10.7.5

System Requirements: OS X Mountain Lion v10.8.5

System Requirements: OS X Mountain Lion v10.8.5

No Comments

Leave a Reply