Alex headshot

AlBlue’s Blog

Macs, Modularity and More

Bash remote vulnerability

2014, bash, mac, osx, security

As you’ve probably heard, there’s a remote vulnerability in Bash, which means that an attacker can supply a malicious code by virtue of passing in an environment variable with a specially crafted value that is then executed by Bash when a new shell starts up. This could potentially give an attacker control over an account running requests, which could include any HTTP request (variables such as REMOTE_HOST are passed through to CGI scripts by default) as well as certain environment variables in SSH (such as TERM).

I have written about this more at InfoQ, and most major operating system vendors have published updates to their versions of Bash. I have also written a piece on ShellShocked — Behind the Bug and created the popular StackExchange question and answer on ShellShock.

Apple typically take time to fix these issues, so in the meantime, if you have an OSX server estate you are advised to upgrade to a new version of bash immediately.

If you have the Xcode developer tools available, you can compile it yourself as follows:

Fixing bash on OSX
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ # If you want to disable auto-imported functions, uncomment the following
$ # export ADD_IMPORT_FUNCTIONS_PATCH=YES
$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
$ [ "$ADD_IMPORT_FUNCTIONS_PATCH" == "YES" ] && curl http://alblue.bandlem.com/import_functions.patch | patch -p0
$ [ "$ADD_IMPORT_FUNCTIONS_PATCH" == "YES" ] || curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0
$ [ "$ADD_IMPORT_FUNCTIONS_PATCH" == "YES" ] || curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-055 | patch -p0
$ cd ..
$ xcodebuild
$ build/Release/bash --version # GNU bash, version 3.2.55(1)-release
$ build/Release/sh --version   # GNU bash, version 3.2.55(1)-release
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin

You are advised to take backups before you make these changes and test that you can log in before you quit the shell you have started (because if there are problems you may not be able to fix this afterwards). When Apple release a fix you are recommended to apply that and verify that the new Apple version is used instead.

To test the fix is effective, run:

Original Vulnerability test
1
2
3
4
$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
New vulnerability test
1
2
3
4
5
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu 25 Sep 2014 08:54:13 BST

To permanently disable this class of bug by disabling all auto-imported functions, this patch can be applied (to 3.2p53). Either this or bash 3.2p54 will protect against the following vulnerability:

Disabling auto-imported functions
1
2
$ env ls="() { echo 'Game over'; }" bash -c ls
Game over

Once you’re happy, make sure the old versions are no longer executable (or better still, remove them) and then reboot your system. Otherwise any running processes might be tricked for log processing or other routine tasks.

Removing executable bit
1
2
3
$ sudo chmod a-x /bin/bash.old /bin/sh.old
$ # or just sudo rm /bin/bash.old /bin/sh.old
$ # sudo reboot as well

You should also check for bash or sh installs in other locations, such as /sbin, /usr/sbin or /usr/local/bin. If you use a ports manager such as Homebrew or Macports then you should follow the upgrade instructions given by those package managers.

This post was also made to apple.stackexchange.com where it has received several hundred votes - so my thanks are due to everyone there, and of course, Chet for fixing the issues as quickly as they were.

Update

Apple have released their fix for this issue, providing bash-3.2p53. They appear to have fixed the above bugs including the Game over bug, though without using the upstream bash-3.2p54 patch listed here.

Separate patches are available for different versions of OSX:

Note that the official Apple patch is still vulnerable to a variant of the Game Over bug described above, as noted by @ake_____ on twitter.

Game Over in Apple Bash fix 1.0
1
2
$ env '__BASH_FUNC<ls>()'="() { echo Game Over; }" ./bash -c ls
Game Over

Cautions administrators are invited to re-consider applying the ‘disable auto-import functions patch’ listed above, or rebuild to bash 3.2.55.