Thursday, September 25, 2014

Bashing bash: updated universal OS X bash available as a public service

UPDATE THE SECOND: People are unclear about what I mean by "incomplete." I mean, the existing patch for bash is not complete. Even for the list of commands floating around to build from source (seen on MacRumors and other sites, which requires Xcode), you won't be protected from the second variant of the attack. You'll have to wait for that final patch. Your call whether to continue with the below. Updated to fix /bin/sh as well.

UPDATE: Looks like the fix is incomplete; someone found a way around it. I'll post an update with the newer version when they decide on it, but you can fix the immediate bug now with the steps below.

I hate bash. I prefer tcsh. But Apple made it the default, and now bash has been shown to have a pretty nasty little vulnerability that causes it to inadvertently execute shell commands in the environment you pass it. This attack does work on Power Macs because most shell commands are cross-platform, and there will be no update for us. The vulnerability appears to exist on all versions of OS X.

I thought about this for awhile on how much of an attack surface we're exposing. Servers that might run shell scripts as CGIs would be very high risk, but if you're actually using a 10.4 or 10.5 machine as an externally facing web server you really need your head examined. Similarly, there's the possibility of getting privileged setuid scripts on a multiuser system owned, which again would be primarily an issue for servers.

The risk is less clear on single user workstations, the situation in which I imagine most Power Macs exist, which either run bash purely as a login shell or certain programs may call out to it to accomplish certain system tasks. Realistically, I don't see a large attack surface here, but clever little sneaks might find a way and besides, the solution is easy: build a new bash from the newly patched source code. As a service to you, I have done so, and compiled it for PowerPC and Intel so it will also work for users on 10.6 who are not receiving updates either.

The bash these steps will install works on 10.4 all the way to 10.9 on 32-bit Intel, 64-bit Intel and PowerPC. It requires no other dependencies. The idea is to replace your system bash -- yes, you can use Homebrew, Tigerbrew, MacPorts, etc., to get an updated bash, but your built-in bash is still vulnerable unless you replace it. This is designed to accomplish that.

  • WARNING: The following steps assume you know how to use Terminal.app and some basic Unix commands. If you don't, get help.

    1. In a Terminal.app window, verify that you have a vulnerable system so that you can see what that looks like (the command is all one line):

      env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

      It should print

      vulnerable
      this is a test

    2. This has been superseded Download the patched bash 4.3.25. Put it in your home directory. If necessary, double-click to decompress it so that you have a file in your home directory called bash-4.3.25-10.4u.

    3. Close all terminal windows and programs just to make sure you won't stomp on bash while a program is trying to call it. Start Terminal and have exactly one window open.

    4. In that terminal window:

      • exec tcsh
      • chmod +x bash-4.3.25-10.4u
      • sudo mv /bin/bash /bin/bash_old (enter your password)
      • sudo cp bash-4.3.25-10.4u /bin/bash (enter your password if needed)
      • sudo mv /bin/sh /bin/sh_old (enter your password if needed)
      • sudo cp bash-4.3.25-10.4u /bin/sh (enter your password if needed)

    5. Test it stuck by trying the statement again:

      env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

      It should print

      bash: warning: x: ignoring function definition attempt
      bash: error importing function definition for `x'
      this is a test

    6. Restart your Mac as a paranoia to make sure everything is using the new copy of bash.

    7. Bask in the glow. Then, find a shell that doesn't suck.

  • 5 comments:

    1. What about /bin/sh ? On a Tiger system, they appear to be identical - would it be wise to replace it?

      ReplyDelete
      Replies
      1. Probably a good idea. I'll be updating the instructions when I get a new binary.

        Delete
    2. Could you document the steps you take to create this binary?

      ReplyDelete
      Replies
      1. I'm not going to give the blow-by-blow commands; several versions of that are circulating and it's enough of a headache responding to questions about merely installing the binary. I think the vast majority of people should use that, and those who already know how to build the binary will have already done so. However, I *will* say:

        - The binary is made from unmodified source. I downloaded the 4.3 source from GNU and applied all patches. No changes were made otherwise.
        - CFLAGS are -arch ppc -arch i386 -isysroot /Developer/SDKs/MacOSX10.4u.sdk
        - configure, make, done.

        Delete

    Due to an increased frequency of spam, comments are now subject to moderation.