05 October 2014

How to Test For the Shellshock Vulnerability and Upgrade Bash Using MacPorts on Mac OS X 10.9.4

Given all the hype recently over the bash Shellshock vulnerability, no matter what operating system being used, any affected version of bash should be patched and/or upgraded immediately.

You can quickly test your operating system to see if your bash version is vulnerable by following instructions on the Shellshocker website. TLDR, here is the command you need to run to test bash on your machine:

$ curl https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2009 100 2009 0 0 3044 0 --:--:-- --:--:-- --:--:-- 3240
CVE-2014-6271 (original shellshock): not vulnerable
bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
view raw gistfile1.sh hosted with ❤ by GitHub
Note that the version of bash in my path (the newer one from MacPorts) is not affected by the vuln. Now I will test the version of bash installed as /bin/bash:

$ curl https://shellshocker.net/shellshock_test.sh | /bin/bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2009 100 2009 0 0 6200 0 --:--:-- --:--:-- --:--:-- 6258
CVE-2014-6271 (original shellshock): not vulnerable
bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
view raw gistfile1.sh hosted with ❤ by GitHub

Notice that I piped the script directly to /bin/bash instead of relying upon the version of bash in my PATH. Because I have already installed Apple's update (noted below), /bin/bash is not affected either.

Apple Update 

Apple has already released an update containing a patched bash version, so it's very easy to update the standard bash version located in /bin/bash. But, if you are like me and you are using MacPorts to manage many binaries within Mac OS X, you may not be using the version of bash installed by Apple.

Use of MacPorts to Upgrade Bash

I have used MacPorts for years and I continue to get grief from people who love Homebrew. I must say that I do like both, but for some reason I have always kept coming back to MacPorts. Anyway, if you are using MacPorts then upgrading to the patched version of bash is especially easy. Below are the commands to upgrade bash:

$ sudo port selfupdate
Password:
---> Updating MacPorts base sources using rsync
MacPorts base version 2.3.1 installed,
MacPorts base version 2.3.1 downloaded.
---> Updating the ports tree
---> MacPorts base is already the latest version
The ports tree has been updated. To upgrade your installed ports, you should run
port upgrade outdated
$ sudo port outdated
The following installed ports are outdated:
apr-util 1.5.3_0 < 1.5.4_0
bash 4.3.24_0 < 4.3.28_0
git 2.1.0_0 < 2.1.1_0
gnupg 1.4.16_0 < 1.4.18_0
icu 53.1_0 < 53.1_1
nmap 6.40_0 < 6.47_0
p5.16-io-socket-ssl 1.997.0_1 < 1.998.0_0
xz 5.0.5_0 < 5.0.7_0
$ sudo port upgrade bash
---> Computing dependencies for bash
---> Fetching archive for bash
---> Attempting to fetch bash-4.3.28_0.darwin_13.x86_64.tbz2 from http://packages.macports.org/bash
---> Attempting to fetch bash-4.3.28_0.darwin_13.x86_64.tbz2.rmd160 from http://packages.macports.org/bash
---> Installing bash @4.3.28_0
---> Cleaning bash
---> Computing dependencies for bash
---> Deactivating bash @4.3.24_0
---> Cleaning bash
---> Activating bash @4.3.28_0
---> Cleaning bash
---> Updating database of binaries
---> Scanning binaries for linking errors
---> No broken files found.
view raw gistfile1.sh hosted with ❤ by GitHub

2 comments:

  1. I'm confused... Software Update for OSX 10.9.5 says No Updates Available, but curl https://shellshocker.net/shellshock_test.sh | bash shows vulnerabilities.

    ReplyDelete
    Replies
    1. That is odd, are you sure that the correct bash binary is being tested? In other words, do you have more than one bash binary in your PATH that might not be the one updated by the OS X update?

      Delete