This script will build and install a new version of bash and sh from source that will fix the bash shellshock vulnerability on Max OS X 10.9.5 until the official patch is released from Apple. It requires the XCode command line tools. If you do not have the XCode command line tools installed, I have made pre-built versions of bash and sh available for download.
Please note that you probably don’t need this patch unless you are running services that expose the vulnerability on an external port.
Many thanks to this blog for providing the key information: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an and to Chet Ramey for creating and distributing the patches so quickly.
Path, Build and Install the Fixed Versions of bash and sh
This is how you download the script and use it to install the updates.
|
1 2 3 4 5 6 7 8 9 10 11 |
$ # Download the shell using wget. You can also curl or any other similar tool. $ wget http://projects.joelinoff.com/bash-shellshock/bash-shellshock-mac.sh $ chmod a+x bash-shellshock-mac.sh $ ./bash-shellshock-mac.sh [output snipped] $ # Verify that the vulnerability was fixed. $ env x='() { :;}; echo vulnerable' bash -c "echo bash: shellshock test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' bash: shellshock test |
Download, Verify and Install Pre-Built Versions of bash and sh
If you cannot build locally because you do not have the XCode command line tools installed, you can download and install the pre-built versions of bash and sh as follows.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
$ # Download the pre-built versions. $ wget http://projects.joelinoff.com/bash-shellshock/bash-mac-3.2.53 $ wget http://projects.joelinoff.com/bash-shellshock/sh-mac-3.2.53 $ chmod a+x bash-mac-3.2.53 sh-mac-3.2.52 $ # Verify that they have not been tampered with. $ # If the checksum does NOT match, do not go any further. $ sum bash-mac-3.2.53 55667 924 bash-mac-3.2.53 $ sum sh-mac-3.2.53 62584 925 sh-mac-3.2.53 $ # Back up the originals and disable execution. $ sudo cp /bin/bash{,-3.2.51} $ sudo cp /bin/sh{,-3.2.51} $ chmod a-x /bin/bash-3.2.51 /bin/sh-3.2.51 $ # Install. $ cp bash-mac-3.2.53 /bin/bash $ cp sh-mac-3.2.53 /bin/sh $ # Verify that they are installed. $ bash --version GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) Copyright (C) 2007 Free Software Foundation, Inc. $ sh --version GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) Copyright (C) 2007 Free Software Foundation, Inc. $ # Verify that the vulnerability was fixed. $ env x='() { :;}; echo vulnerable' bash -c "echo bash: shellshock test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' bash: shellshock test |
Script Contents
This is the script. There is nothing fancy. It verifies that the OS version is correct and that the XCode command line tools are installed before downloading the bash source and patches which are then built and installed. Once installed it verifies that the patch worked.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 |
#!/bin/bash # CITATION: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an function hdr() { echo echo "# ================================================================" echo "# $*" echo "# ================================================================" } hdr "bash shellshock fix for Mac OS X 10.9.5" hdr "Verify the OS version" SWVER=$(sw_vers -productVersion) if [[ "${SWVER}" != "10.9.5" ]] ; then echo "ERROR: This script has only been tested on Mac OS X 10.9.5, cannot continue." exit 1 fi hdr "Verify that xcode command line tools are installed." pkgutil --pkg-info=com.apple.pkg.CLTools_Executables st=$? if (( $st )) ; then echo "ERROR: This script requires xcode, cannot continue." exit 1 fi if [ ! -f downloads/bash-92.tar.gz ] ; then hdr "Downloading bash-92.tar.gz" if [ ! -d downloads ] ; then mkdir downloads fi pushd downloads wget --no-check-certificate https://opensource.apple.com/tarballs/bash/bash-92.tar.gz popd if [ -d bash-92 ] ; then sudo rm -rf bash-92 fi fi if [ ! -f downloads/bash32-052 ] ; then hdr "Downloading bash32-052" if [ ! -d downloads ] ; then mkdir downloads fi pushd downloads wget --no-check-certificate https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 popd if [ -d bash-92 ] ; then sudo rm -rf bash-92 fi fi if [ ! -f downloads/bash32-053.patch ] ; then hdr "Downloading bash32-053.patch" if [ ! -d downloads ] ; then mkdir downloads fi pushd downloads wget --no-check-certificate http://alblue.bandlem.com/bash32-053.patch popd if [ -d bash-92 ] ; then sudo rm -rf bash-92 fi fi if [ ! -d bash-92 ] ; then hdr "Patch and build" tar jxf downloads/bash-92.tar.gz cd bash-92/bash-3.2 ls -l ../../downloads patch -p0 <../../downloads/bash32-052 patch -p0 <../../downloads/bash32-053.patch cd .. sudo xcodebuild fi if [ ! -f /bin/bash-3.2.51 ] ; then hdr "Install bash" sudo cp /bin/bash /bin/bash-3.2.51 sudo cp bash-92/build/Release/bash /bin/bash-3.2.53 sudo cp bash-92/build/Release/bash /bin/bash sudo chmod -x /bin/bash-3.2.51 fi if [ ! -f /bin/sh-3.2.51 ] ; then hdr "Install sh" sudo cp /bin/sh /bin/sh-3.2.51 sudo cp bash-92/build/Release/bash /bin/sh-3.2.53 sudo cp bash-92/build/Release/sh /bin/sh sudo chmod -x /bin/sh-3.2.51 fi hdr "Verify" which bash bash --version cat <<EOF Expected output: bash: warning: x: ignoring function definition attempt bash: error importing function definition for 'x' bash: shellshock test EOF env x='() { :;}; echo vulnerable' bash -c "echo bash: shellshock test" hdr "Done" |