Avoiding Shellshock in Mac OSX

Shellshock is a vulnerability in bash (the shell that comes with Mac OSX) that surfaced in late September 2014 and has the potential to do more harm than Heartbleed that made headlines in April 2014. Apple ships OSX with an old version of bash. According to this site, Shellshock can potentially be used to execute arbitrary code on environment variables that are passed to child processes. What follows is my approach to hardening my Macbook.

You know you are vulnerable in OSX if you run the following at the Terminal window prompt:

hoodbu@pakdude-mbp /~ (499) env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
hoodbu@pakdude-mbp /~ (500)

This is because of the version of bash that I had on my Macbook:

hoodbu@pakdude-mbp /~ (501) bash --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
hoodbu@pakdude-mbp /~ (502)

Following the instructions given at Stack Exchange, I ran the following:

hoodbu@pakdude-mbp /~ (528) mkdir bash-fix
hoodbu@pakdude-mbp /~ (529) cd bash-fix/
hoodbu@pakdude-mbp /bash-fix (530) curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
-bash: /sw/bin/tar: Bad CPU type in executable
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0 4088k    0 16384    0     0   4927      0  0:14:09  0:00:03  0:14:06  4927
curl: (23) Failed writing body (0 != 16384)
hoodbu@pakdude-mbp /bash-fix (531)

This error was because of my version of ‘tar’. Somehow, my ‘/sw/bin/tar’ is  a PowerPC-only binary of tar probably because I once owned a PowerPC-based Mac and after upgrading many years ago my version of ‘tar’ somehow didn’t get updated.

hoodbu@pakdude-mbp /bash-fix (534) /usr/bin/tar --version
bsdtar 2.8.3 - libarchive 2.8.3
hoodbu@pakdude-mbp /bash-fix (535) tar --version
-bash: /sw/bin/tar: Bad CPU type in executable
hoodbu@pakdude-mbp /bash-fix (536) which tar
/sw/bin/tar

So I just used ‘/usr/bin/tar’ and will deal with ‘/sw/bin/tar’ later. Moving on,

hoodbu@pakdude-mbp /bash-fix (537) curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | /usr/bin/tar zxf -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 4088k  100 4088k    0     0   603k      0  0:00:06  0:00:06 --:--:--  607k
hoodbu@pakdude-mbp /bash-fix (539) cd bash-92/bash-3.2
hoodbu@pakdude-mbp /bash-3.2 (540) curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3250  100  3250    0     0   2041      0  0:00:01  0:00:01 --:--:--  2042
patching file builtins/common.h
patching file builtins/evalstring.c
patching file variables.c
patching file patchlevel.h
hoodbu@pakdude-mbp /bash-3.2 (541) curl http://alblue.bandlem.com/bash32-053.patch | patch -p0
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1118  100  1118    0     0    803      0  0:00:01  0:00:01 --:--:--   803
patching file parse.y
patching file patchlevel.h
hoodbu@pakdude-mbp /bash-3.2 (542) cd ..
hoodbu@pakdude-mbp /bash-92 (543) xcodebuild
xcode-select: note: no developer tools were found at '/Applications/Xcode.app', requesting install. Choose an option in the dialog to download the command line developer tools.

Apparently I had had ‘xcodebuild’, but not the way Apple wants it. So I installed it from the App Store. At 2.46 GB, it took a while to download, but once installing, running as sudo, and agreeing to the EULA, the rest was straightforward:

hoodbu@pakdude-mbp /bash-92 (544) xcodebuild
Agreeing to the Xcode/iOS license requires admin privileges, please re-run as root via sudo.
hoodbu@pakdude-mbp /bash-92 (545) sudo xcodebuild
Password:
You have not agreed to the Xcode license agreements. You must agree to both license agreements below in order to use Xcode.
Hit the Enter key to view the license agreements at '/Applications/Xcode.app/Contents/Resources/English.lproj/License.rtf'
<long EULA skipped>
hoodbu@pakdude-mbp /bash-92 (547) sudo xcodebuild
<long output skipped>
** BUILD SUCCEEDED **
hoodbu@pakdude-mbp /bash-92 (548) sudo cp /bin/bash /bin/bash.old
hoodbu@pakdude-mbp /bash-92 (549) sudo cp /bin/sh /bin/sh.old
hoodbu@pakdude-mbp /bash-92 (550) build/Release/bash --version # GNU bash, version 3.2.53(1)-release
GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
hoodbu@pakdude-mbp /bash-92 (551) build/Release/sh --version   # GNU bash, version 3.2.53(1)-release
GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
hoodbu@pakdude-mbp /bash-92 (552) sudo cp build/Release/bash /bin
hoodbu@pakdude-mbp /bash-92 (553) sudo cp build/Release/sh /bin
hoodbu@pakdude-mbp /bash-92 (554) bash --version
GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
hoodbu@pakdude-mbp /bash-92 (555)

Finally, this is the indicator that my Macbook is no longer vulnerable to Shellshock:

hoodbu@pakdude-mbp /bash-92 (555) env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
hoodbu@pakdude-mbp /bash-92 (556)

I hope you find this useful.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s