Thursday, September 25, 2014

Fix for Bash ShellShock Vulnerability on Mac OS X

ShellShock is a serious security vulnerability on all Mac and Linux machines that you should fix even if you have no idea why.

This post will tell you how to install the latest version of Bash on Mac OS X to get rid of the ShellShock vulnerability.  You must have admin privileges on your computer to complete this. If you use MacPorts or Homebrew you need to do an update of whichever you use as well.  MacPorts and Homebrew have a separate version of Bash besides the one built into your system.

This explains the ShellShock vulnerability:

http://www.bbc.com/news/technology-29361794

Steps to repair:

Step 1:
Install XCode if not already installed from the app store:

https://itunes.apple.com/us/app/xcode/id497799835


Step 2:
Open a terminal window:

https://www.youtube.com/watch?v=zw7Nd67_aFw


Step 3:
sudo env x='() { :;}; echo vulnerable' bash -c 'echo hello' 

 You will be prompted for an admin password. If you see this you have the vulnerability:

vulnerable
hello

 If you see this someone has fixed it for you.  No need to proceed:


warning: x: ignoring function definition attempt

error importing function definition for `x'

hello

Step 4:

Copy and paste everything below in courier font into the terminal then hit enter.    If you have a problem try to copy and paste one line at a time:


mkdir bash-fix
cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz -k| tar zxf -
cd bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 -k| patch -p0    
# Note: The bash23-053 patch does not apply cleanly on OSX because
# of a missing y.tab.c file. This can be ignored or the alblue
# one used instead. Upstream commits the y.tab.c file so doesn't
# have that problem.
# Not-yet-released-patch - replace alblue.bandlem.com line with:
# curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0  
curl http://alblue.bandlem.com/bash32-053.patch -k| patch -p0
cd ..
sudo xcodebuild
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
build/Release/bash --version # GNU bash, version 3.2.53(1)-release
build/Release/sh --version   # GNU bash, version 3.2.53(1)-release
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin

 rm -f echo

 env X='() { (a)=>\' sh -c "echo date"; cat echo

Step 5:

 Update HomeBrew or MacPorts:

 HomeBrew:

 Copy and paste the courier font one line at a time into the terminal window:

 brew update

brew upgrade bash

 MacPorts:

 Copy and paste the courier font one line at a time into the terminal window:

 sudo port selfupdate

sudo port upgrade bash

 Step 6:

 Be happy this kind of thing rarely happens to Linux and Mac OS.

 I got most of the script from the link below but there were a couple of bugs that needed to be fixed:

 http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an/146851#146851
Posted by at No comments:
Subscribe to: Posts (Atom)