Shellshock Bugs, Macs, and Unix Powers

I love my Apple to bits. My writing, teaching, coding, graphing, and playing are all done on a MacBookPro with two Intel 2.4 GHz processors running OS X 10.5.8 called “Leopard.” It was the up-to-date operating system from 2006-2009 and I never saw the need to change, as I was too lazy to fix something that is not broken. Until today when I learnt of a vulnerability deep inside the guts of my beloved Unix-machines.

For over 5 years this laptop has been running non-stop doing scientific computing on huge amounts of ice, ocean, and satellite data. It is this Unix environment that I cherish as it is open, transparent, elegant, and concise. It also allows me to use unlimited codes and tools of many open-source communities. My Apple also traveled with me on ships and planes to Arctic Canada, Greenland, Norway, Germany, and anywhere in-between. It travels daily on my bicycle from home to work and back.

Today I was worried when my student Pat told me about shellshock, a bug that potentially can give control to a hostile party smart enough to exploit this vulnerability for which Apple has not yet released a patch. So, did I have a problem? You bet.

STEP-0: From a terminal I entered the command

env x='( ) { : ; }; echo vulnerable’ bash -c “echo this is a test”

If the word “vulnerable” appears, then the bug is present. Also check the second flavor of the bug by entering the command

env X='( ){(a) =>;\’ bash -c “echo date”; cat echo; rm -f echo

If you see the actual date displayed (as opposed to the word “date”), then again you got the buggy code. Here is how I fixed it on my laptop and MacMini that hosts my work web-pages.

Step-1: I took this technical recipe, but not all elements worked for me:

$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf –

The above line failed me, but the added option -k worked to download the needed files from apple.com with the curl-command; the same was also true for the two other curl commands below that downloaded the patches from gnu.org It applies the patches to the files uploaded from apple.com prior.

$ curl -k https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf –
$ cd bash-92/bash-3.2
$ curl -k https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
$ curl -k https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
$ cd ..
$ sudo xcodebuild

STEP-2: The above line “sudo xcodebuild” did not work for me for reasons I do not understand. I realized, however, that it was supposed to compile the patched codes to produce executable new files “bash” and “sh” free of the bug. I searched for and found the code-building application XCode.app on my computer as /Developer/Application/XCode.app and started it by point and click. Then via File > Open File I found the relevant “project file” bash.xcodeproj that was in the directory created previously, that is, bash-fix/bash-92 which I then opened within XCode.app Hit the button with the hammer called “Build and Go” and you build yourself a new bash.

Screenshot of compiling patched bash.xcodeprof using XCode.app

Screenshot of compiling patched bash.xcodeprof using XCode.app

STEP-3: Once the compilation and building of the executables is complete, all that needed to be done was to move the newly created, patched executable shells “bash” and “sh” into their rightful places deep within the guts of the operating systems. First, however, lets just save the buggy old files. From the command line

$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old

and as the last step move the new, patched “bash” and “sh” to their
root directory /bin:

$ sudo cp build/Release/bash /bin/.
$ sudo cp build/Release/sh /bin/.

I moved the binary files “bash” and “sh” to my web-hosting MacMini after renaming the old buggy ones, oh, and as a good practice (short
of deleting those old system files), I changed the permission settings.

Credit for this way to reduce a vulnerability on my dear machine belongs to this concise blog whose content is also presented in a more chatty voice. Wired Magazine adds a little drama in their story titled “The Internet Braces for the Crazy Shellshock Worm, but it took me longer to write and assemble this essay than it did patching the bug.

Unix is fun to hack.
Eric S. Raymond

Unix is not so much an operating system as an oral history.
— Neal Stephenson

ADDENDUM Sept.-28, 2014: A quick online to test for vulnerable web-sites and cgi scripts.

ADDENDUM Jan.-6, 2015: I apparently missed 3 more vulnerabilities that the above test may not check for, e.g., http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s