Alex headshot

AlBlue’s Blog

Macs, Modularity and More

Bash remote vulnerability

2014 Security Bash Mac Osx

As you’ve probably heard, there’s a remote vulnerability in Bash, which means that an attacker can supply a malicious code by virtue of passing in an environment variable with a specially crafted value that is then executed by Bash when a new shell starts up. This could potentially give an attacker control over an account running requests, which could include any HTTP request (variables such as REMOTE_HOST are passed through to CGI scripts by default) as well as certain environment variables in SSH (such as TERM).

I have written about this more at InfoQ, and most major operating system vendors have published updates to their versions of Bash. I have also written a piece on ShellShocked — Behind the Bug and created the popular StackExchange question and answer on ShellShock.

Apple typically take time to fix these issues, so in the meantime, if you have an OSX server estate you are advised to upgrade to a new version of bash immediately.

If you have the Xcode developer tools available, you can compile it yourself as follows:

```sh Fixing bash on OSX $ # If you want to disable auto-imported functions, uncomment the following $ # export ADD_IMPORT_FUNCTIONS_PATCH=YES $ mkdir bash-fix $ cd bash-fix $ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf - $ cd bash-92/bash-3.2 $ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0 $ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0 $ [ “$ADD_IMPORT_FUNCTIONS_PATCH” == “YES” ] && curl http://alblue.bandlem.com/import_functions.patch | patch -p0 $ [ “$ADD_IMPORT_FUNCTIONS_PATCH” == “YES” ] || curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0 $ [ “$ADD_IMPORT_FUNCTIONS_PATCH” == “YES” ] || curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-055 | patch -p0 $ cd .. $ xcodebuild $ build/Release/bash –version # GNU bash, version 3.2.55(1)-release $ build/Release/sh –version # GNU bash, version 3.2.55(1)-release $ sudo cp /bin/bash /bin/bash.old $ sudo cp /bin/sh /bin/sh.old $ sudo cp build/Release/bash /bin $ sudo cp build/Release/sh /bin


You are advised to take backups before you make these changes and test that
you can log in before you quit the shell you have started (because if there
are problems you may not be able to fix this afterwards). When Apple release
a fix you are recommended to apply that and verify that the new Apple version
is used instead.

To test the fix is effective, run:

```sh Original Vulnerability test
$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

```sh New vulnerability test $ env X=’() { (a)=>' sh -c “echo date”; cat echo sh: X: line 1: syntax error near unexpected token =' sh: X: line 1: ’ sh: error importing function definition for `X’ Thu 25 Sep 2014 08:54:13 BST


To permanently disable this class of bug by disabling all auto-imported
functions, <a href="/import_functions.patch">this patch</a> can be applied (to
3.2p53). Either this or bash 3.2p54 will protect against the following
vulnerability:

```sh Disabling auto-imported functions
$ env ls="() { echo 'Game over'; }" bash -c ls
Game over

Once you’re happy, make sure the old versions are no longer executable (or better still, remove them) and then reboot your system. Otherwise any running processes might be tricked for log processing or other routine tasks.

```sh Removing executable bit $ sudo chmod a-x /bin/bash.old /bin/sh.old $ # or just sudo rm /bin/bash.old /bin/sh.old $ # sudo reboot as well


You should also check for `bash` or `sh` installs in other locations, such as
`/sbin`, `/usr/sbin` or `/usr/local/bin`. If you use a ports manager such
as Homebrew or Macports then you should follow the upgrade instructions
given by those package managers.

This post was also made to <a
href="http://apple.stackexchange.com/questions/146849/">apple.stackexchange.com</a>
where it has received several hundred votes - so my thanks are due to everyone
there, and of course, Chet for fixing the issues as quickly as they were.

Update
======

Apple have released their fix for this issue, providing `bash-3.2p53`. They
appear to have fixed the above bugs including the `Game over` bug, though
without using the upstream `bash-3.2p54` patch listed here.

Separate patches are available for different versions of OSX:

 * https://support.apple.com/kb/DL1769 - Mavericks (10.9.5 and above)
 * https://support.apple.com/kb/DL1768 - Mountain Lion (10.8.5)
 * https://support.apple.com/kb/DL1767 - Lion (10.7.5)

Note that the official Apple patch is still vulnerable to a variant of
the Game Over bug described above, as noted by <a href="https://twitter.com/ake_____/status/516732774640656384">@ake_____ on twitter</a>.

```sh Game Over in Apple Bash fix 1.0
$ env '__BASH_FUNC<ls>()'="() { echo Game Over; }" ./bash -c ls
Game Over

Cautions administrators are invited to re-consider applying the ‘disable auto-import functions patch’ listed above, or rebuild to bash 3.2.55.