03 Dec Bash – How to Test Bash for Shellshock Vulnerabilities on OS X
Overview
Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on September 24th, 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
Apple, although notified of the vulnerability before it was made public, the company did not release a corresponding OS X update until September 29th 2014, at which time the OS X bash Update 1.0 was released. Updates are available for OS X Lion (version 10.7), OS X Mountain Lion (version 10.8) and OS X Mavericks (version 10.9) and newer OS X operating systems include an updated Bash that isn’t vulnerable to these exploit.
What exposes your Mac to Shellshock?
Here are multiple routes exposing this vulnerability to a remote attack on a OS X system:
Enabling Remote Login
If you enable a service that allows attacker to remotely run bash commands. This could be something like enabling remote login and the attacker comprimised an account with permissions to use Secure Shell, or SSH.
Launch Application w/Exploit
If someone were to write an application that contained this exploit, a user downloads this application, and bypassed Gatekeeper (it would have to need to ba an unsigned, unsandboxed app) and run this applications. There OS X system could get exploited by this vulnerability.
Machine Local Access
If a person has local access to your computer and can run bash commands, they can exploit your OS X computer to this vulnerability.
How to Tell If You’re Protected
After applying the security updates, here’s how to check that Bash has been updated:
Open Terminal, and execute this command:
bash --version
The Bash version after applying this security update will be:
- OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)
- OS X Mountain Lion: GNE bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
- OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
This page outlines Bash vulnerability tests you can run on your OS X computers.
Vulnerability Tests
CVE-2014-6271
Apple’s OS X Bash Update 1.0 explicitly says that it addresses CVE-2014-6271.
VULNERABLE:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a testNOT VULNERABLE:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" this is a test
CVE-2014-7169
Apple’s OS X Bash Update 1.0 explicitly says that it addresses CVE-2014-7169.
VULNERABLE:
$ env X='() { (a)=>\' sh -c "echo date"; cat echo; rm ./echo sh: X: line 1: syntax error near unexpected token `=' sh: X: line 1: `' sh: error importing function definition for `XNOT VULNERABLE:
$ env X='() { (a)=>\' sh -c "echo date"; cat echo; rm ./echo bash: c$: command not found cat: echo: No such file or directory rm: ./echo: No such file or directory
CVE-2014-6277 and CVE-2014-627
VULNERABLE:
$ foo='() { echo not patched; }' bash -c foo not patchedNOT VULNERABLE:
$ foo='() { echo not patched; }' bash -c foo bash: foo: command not found
VULNERABLE:
$ bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c 'echo \$f \$g; f; env | grep ^f='" bash: g: line 1: syntax error: unexpected end of file bash: error importing function definition for `g' 1 2 f=1 f=() { echo 2NOT VULNERABLE:
$ bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c 'echo \$f \$g; f; env | grep ^f='" 1 () { 2 f=1
CVE-2014-7187
Test doesn’t doesn’t output anything on “vulnerable” or “not vulnerable” bash versions.
VULNERABLE:
$ (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"NOT VULNERABLE:
$ (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"
Game Over
VULNERABLE:
$ env ls="() { echo 'Game over'; }" bash -c ls Game overNOT VULNERABLE:
$ env ls="() { echo 'Game over'; }" bash -c ls Applications Users dev net usr Library Volumes etc private var Network bin home sbin System cores mach_kernel tmp
Other Information
- About OS X bash Update 1.0 <http://support.apple.com/kb/HT6495>
OS X bash Update 1.0 Bash
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands
Description: An issue existed in Bash’s parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement.
This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state.
In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix “__BASH_FUNC()” to prevent unintended function passing via HTTP headers.
CVE-ID
- CVE-2014-6271 : Stephane Chazelas
- CVE-2014-7169: Tavis Ormandy
- OS X bash Update 1.0 – OS X Lion <http://support.apple.com/kb/DL1767>
System Requirements: OS X Lion v10.7.5
- OS X bash Update 1.0 – OS X Mountain Lion <http://support.apple.com/kb/DL1768>
System Requirements: OS X Mountain Lion v10.8.5
- OS X bash Update 1.0 – OS X Mavericks <http://support.apple.com/kb/DL1769>
System Requirements: OS X Mountain Lion v10.8.5
No Comments