You can quickly test your operating system to see if your bash version is vulnerable by following instructions on the Shellshocker website. TLDR, here is the command you need to run to test bash on your machine:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ curl https://shellshocker.net/shellshock_test.sh | bash | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 2009 100 2009 0 0 3044 0 --:--:-- --:--:-- --:--:-- 3240 | |
| CVE-2014-6271 (original shellshock): not vulnerable | |
| bash: shellshocker: command not found | |
| CVE-2014-6278 (Florian's patch): not vulnerable | |
| CVE-2014-7169 (taviso bug): not vulnerable | |
| CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable | |
| CVE-2014-7186 (redir_stack bug): not vulnerable | |
| CVE-2014-7187 (nested loops off by one): not vulnerable |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ curl https://shellshocker.net/shellshock_test.sh | /bin/bash | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 2009 100 2009 0 0 6200 0 --:--:-- --:--:-- --:--:-- 6258 | |
| CVE-2014-6271 (original shellshock): not vulnerable | |
| bash: shellshocker: command not found | |
| CVE-2014-6278 (Florian's patch): not vulnerable | |
| CVE-2014-7169 (taviso bug): not vulnerable | |
| CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable | |
| CVE-2014-7186 (redir_stack bug): not vulnerable | |
| CVE-2014-7187 (nested loops off by one): not vulnerable |
Notice that I piped the script directly to /bin/bash instead of relying upon the version of bash in my PATH. Because I have already installed Apple's update (noted below), /bin/bash is not affected either.
Apple Update
Apple has already released an update containing a patched bash version, so it's very easy to update the standard bash version located in /bin/bash. But, if you are like me and you are using MacPorts to manage many binaries within Mac OS X, you may not be using the version of bash installed by Apple.Use of MacPorts to Upgrade Bash
I have used MacPorts for years and I continue to get grief from people who love Homebrew. I must say that I do like both, but for some reason I have always kept coming back to MacPorts. Anyway, if you are using MacPorts then upgrading to the patched version of bash is especially easy. Below are the commands to upgrade bash:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ sudo port selfupdate | |
| Password: | |
| ---> Updating MacPorts base sources using rsync | |
| MacPorts base version 2.3.1 installed, | |
| MacPorts base version 2.3.1 downloaded. | |
| ---> Updating the ports tree | |
| ---> MacPorts base is already the latest version | |
| The ports tree has been updated. To upgrade your installed ports, you should run | |
| port upgrade outdated | |
| $ sudo port outdated | |
| The following installed ports are outdated: | |
| apr-util 1.5.3_0 < 1.5.4_0 | |
| bash 4.3.24_0 < 4.3.28_0 | |
| git 2.1.0_0 < 2.1.1_0 | |
| gnupg 1.4.16_0 < 1.4.18_0 | |
| icu 53.1_0 < 53.1_1 | |
| nmap 6.40_0 < 6.47_0 | |
| p5.16-io-socket-ssl 1.997.0_1 < 1.998.0_0 | |
| xz 5.0.5_0 < 5.0.7_0 | |
| $ sudo port upgrade bash | |
| ---> Computing dependencies for bash | |
| ---> Fetching archive for bash | |
| ---> Attempting to fetch bash-4.3.28_0.darwin_13.x86_64.tbz2 from http://packages.macports.org/bash | |
| ---> Attempting to fetch bash-4.3.28_0.darwin_13.x86_64.tbz2.rmd160 from http://packages.macports.org/bash | |
| ---> Installing bash @4.3.28_0 | |
| ---> Cleaning bash | |
| ---> Computing dependencies for bash | |
| ---> Deactivating bash @4.3.24_0 | |
| ---> Cleaning bash | |
| ---> Activating bash @4.3.28_0 | |
| ---> Cleaning bash | |
| ---> Updating database of binaries | |
| ---> Scanning binaries for linking errors | |
| ---> No broken files found. |
I'm confused... Software Update for OSX 10.9.5 says No Updates Available, but curl https://shellshocker.net/shellshock_test.sh | bash shows vulnerabilities.
ReplyDeleteThat is odd, are you sure that the correct bash binary is being tested? In other words, do you have more than one bash binary in your PATH that might not be the one updated by the OS X update?
Delete