Bash – How to Test Bash for Shellshock Vulnerabilities on OS X

Bash – How to Test Bash for Shellshock Vulnerabilities on OS X

os x yosemite, gatekeeper, bash logos

Overview


Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on September 24th, 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

Apple, although notified of the vulnerability before it was made public, the company did not release a corresponding OS X update until September 29th 2014, at which time the OS X bash Update 1.0 was released. Updates are available for OS X Lion (version 10.7), OS X Mountain Lion (version 10.8) and OS X Mavericks (version 10.9) and newer OS X operating systems include an updated Bash that isn’t vulnerable to these exploit.

What exposes your Mac to Shellshock?
Here are multiple routes exposing this vulnerability to a remote attack on a OS X system:

Enabling Remote Login
If you enable a service that allows attacker to remotely run bash commands. This could be something like enabling remote login and the attacker comprimised an account with permissions to use Secure Shell, or SSH.

OS X 10.9 - System Prefs - Sharing - Remote Login

Launch Application w/Exploit
If someone were to write an application that contained this exploit, a user downloads this application, and bypassed Gatekeeper (it would have to need to ba an unsigned, unsandboxed app) and run this applications. There OS X system could get exploited by this vulnerability.

Machine Local Access
If a person has local access to your computer and can run bash commands, they can exploit your OS X computer to this vulnerability.

How to Tell If You’re Protected
After applying the security updates, here’s how to check that Bash has been updated:

Open Terminal, and execute this command:

The Bash version after applying this security update will be:

  • OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)
  • OS X Mountain Lion: GNE bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
  • OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)

This page outlines Bash vulnerability tests you can run on your OS X computers.

Vulnerability Tests


CVE-2014-6271
Apple’s OS X Bash Update 1.0 explicitly says that it addresses CVE-2014-6271.

VULNERABLE:

NOT VULNERABLE:

CVE-2014-7169
Apple’s OS X Bash Update 1.0 explicitly says that it addresses CVE-2014-7169.

VULNERABLE:

NOT VULNERABLE:

CVE-2014-6277 and CVE-2014-627

VULNERABLE:

NOT VULNERABLE:

CVE-2014-7186

VULNERABLE:

NOT VULNERABLE:

CVE-2014-7187
Test doesn’t doesn’t output anything on “vulnerable” or “not vulnerable” bash versions.

VULNERABLE:

NOT VULNERABLE:

Game Over

VULNERABLE:

NOT VULNERABLE:

Other Information


OS X bash Update 1.0 Bash
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands

Description: An issue existed in Bash’s parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement.

This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state.

In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix “__BASH_FUNC()” to prevent unintended function passing via HTTP headers.

CVE-ID

System Requirements: OS X Lion v10.7.5

System Requirements: OS X Mountain Lion v10.8.5

System Requirements: OS X Mountain Lion v10.8.5

No Comments

Leave a Reply