in macosx bash vulnerability CVE-2014-6271 ~ read.

Bash remote vulnerability fix for Mac Os users

As you may heard, there's a critical vulnerability found in bash recently. According to CSO

A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSHORIGINALCOMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

You can determine if you are vulnerable to the original problem in CVE-2014-6271 by executing this test:

$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt  
bash: error importing function definition for `x'  

The above output is an example of a non-vulnerable bash version. If you see the word vulnerable in the output of that command your bash is vulnerable and you should update.

There's one more way of checking vulnerability of your bash after an update to the original post

env X='() { (a)=>\' sh -c "echo date"; cat echo  
sh: X: line 1: syntax error near unexpected token `='  
sh: X: line 1: `'  
sh: error importing function definition for `X'  
Thu 25 Sep 2014 08:50:18 BST  

An official patch has not yet been released but a work-in-progress patch is visible on the mailing list

To fix this on your Macs, you need to follow this simple steps :

mkdir bash-fix  
cd bash-fix  
curl | tar zxf -  
cd bash-92/bash-3.2  
curl | patch -p0  
cd ..  
sudo cp /bin/bash /bin/bash.old  
sudo cp /bin/sh /bin/sh.old  
build/Release/bash --version # GNU bash, version 3.2.52(1)-release  
build/Release/sh --version   # GNU bash, version 3.2.52(1)-release  
sudo cp build/Release/bash /bin  
sudo cp build/Release/sh /bin  

After this, the Bash version should be v3.2.52:

prettyprint lang-bash  
GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin13)  
Copyright (C) 2007 Free Software Foundation, Inc.  

For security, and after testing, I recommend that you chmod -x the old versions to ensure they aren't re-used.

sudo chmod a-x /bin/bash.old /bin/sh.old  

I'm using brew for installing linux software on my mac. For people who also use brew, steps are even simpler :

brew update  
brew upgrade bash  

After this my bash version looks like this :

~  bash --version
GNU bash, version 4.3.25(1)-release (x86_64-apple-darwin13.4.0)  
Copyright (C) 2013 Free Software Foundation, Inc.  
License GPLv3+: GNU GPL version 3 or later <>  

Note that this still leaves you with a vulnerable system bash, updating the Homebrew bash is in addition to patching the system bash as described above.

For Macports users steps are very simple as well :

sudo port self update  
sudo port upgrade bash  

Still, in case with Macports bash usage, you need to update system bash to be sure.

comments powered by Disqus
comments powered by Disqus