Every Mac Is Vulnerable to the Shellshock Bash Exploit: Here’s How to Patch OS X

Every Mac Is Vulnerable to the Shellshock Bash Exploit: Here’s How to Patch OS X

First, the “legal” stuff. If you decided to follow these steps, and something breaks – ITPro-Blog.com can in no way be held liable. If you are not comfortable completing this process yourself, leave a note in the comments and we can help. Now – on to the geek stuff.

Heartbleed, move over. There’s a new bug in town, and this time it’s also affecting Mac and Linux computers. It’s called Shellshock (its original official title is CVE-2014-6271), and it’s currently got a 10 out of 10 severity rating over at the National Cyber Awareness System. While some updates have been issued to fix this bug, they were incomplete, and your system is probably still vulnerable, as it has been for the last probably 20 years.

Bash is a command-line shell used in many Linux- and Unix-based operating systems, including Mac OS X. If bash is the default system shell on your computer, it can be used by remote hackers for network-based attacks. With a simple script, a hacker can launch programs or enable features on your computer without any passwords needed and without your knowledge. They could access your files, copy confidential information, delete data, run programs, and more.

While the likelihood of your personal Mac being targeted by an attack is relatively small, it’s still a big issue that will hopefully get a real and working patch soon. Until then, there are a few things you can do.

The Test Command
In a Terminal window, type in the following command into the shell, followed by the Enter key. Terminal can be found in Utilities in your Applications folders, or via a quick Spotlight search.

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

The Good Result
If your system is not vulnerable to the Shellshock bug, it will return something similar to the below output.

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

The Bad Result
If your system is indeed infected by Shellshock, you’ll see the following instead.

this is a test





Is There an Update Yet?

Many Linux distros have already released patches for Shellshock (though they were mostly incomplete), but Mac OS X has not received anything yet, and Apple hasn’t even commented on the issue. There was a recent 10.9.5 update for Mavericks, but it has nothing pertaining to this issue.

If you’re worried, though, there is a way to manually update your GNU bash version to a more secure one, thanks to some users over at StackExchange.


Check Your Current Bash Version
To see what version bash you have installed on your Mac, in a Terminal window, enter the following command (followed by the Enter key) into the shell.

bash –version

If you get GNU bash, version 3.2.51(1)-release, then you’ll want to manually update to the newest version of bash 3.2, which is 3.2.52.

Note: There are newer versions of bash out there, but Mac OS X runs off the 3.2 branch. If you’re using Linux, you’ll want to make sure the patch you download matches the version of bash you’re using. The latest patches for all major versions of bash (including 3.0, 3.1, 3.2, 4.0, 4.1, 4.2, and 4.3) can be found here.


Manually Updating Bash – Initial Requirements
You can manually compile the newest bash version (3.2.52) using the below instructions, but you have to have Apple’s Xcode installed on your Mac for this to work. If you don’t have it, you can download Xcode for free from the Mac App Store. There’s still an open question on whether this is patch is effective, but we will be updating this guide to latest version as soon as we know more.

If you don’t want to update bash, there is a workaround provided by Red Hat, but it hasn’t been tested fully, so I wouldn’t recommend it.


Step 1: Download & Compile the Patch
Once you’ve confirmed you have Xcode installed, open Terminal again and enter the following commands. Each bullet point is one command, so make sure you copy the full line in each bullet point (minus the bullet, of course).

mkdir bash-fix
cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf –
cd bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
cd ..
NOTE: You may have to add sudo infront of your xcodebuild, and then provide your admin password before this command will work.


This process may take a while, and you’ll see a lot of text appearing in the Terminal window. It’s just Xcode compiling the new version of bash on your system. Once it’s done, it’ll say “BUILD SUCCEEDED” and you’ll see a Terminal prompt again.

Step 2: Back Up Your Current Version (Just in Case)
Just in case something goes wrong, it’s a good idea to back up your current version of bash. You can do so by entering the following two commands in Terminal.

You may be prompted to enter in your admin password. If so, use the same password you use to log in to your Mac. You will not see your password in Terminal as you type, so it may take you few attempts if you have a complicated password.

sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old

You won’t see any confirmation, but it’ll work, and if something goes wrong after Step #4 below, you can get back your old un-patched version of bash by reversing the above copy commands, to copy the “.old” copies back over their original files (without the “.old” part).


Step 3: Verify the Version of Your New Build
Enter the following commands in Terminal to verify you’ve got the new version of the bash build on your computer.

build/Release/bash –version
build/Release/sh –version

The output of these commands should confirm for you that the build version of bash is 3.2.52(1)-release.


Step 4: Replace Your Old Bash with the Patched Version
Almost done. You just have to make the new version of bash your default one. Do so with the following Terminal commands.

sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin

And that’s it. Now just try out the test again and if it comes back with the good result (i.e., not the one that says “vulnerable”), then you’re golden.

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

Originally posted: http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/

Leave a Reply