Shellshock - vulnerability for Mac and Linux - worse than Heartbleed?

Yaz4Ever

MemBer
Lifetime Member
SoSH Member
Jul 10, 2004
11,256
MA-CA-RI-AZ-NC
So, I saw an article on Gizmodo or Lifehacker that introduces Mac and Linux users to a new vulnerability which is supposed to be worse than Heartbleed - Shellshock.
 
I ran the test command through Terminal, as suggested, and my machine shows as vulnerable.
 
I'm heading to Google to find out more, but wanted to share this with you guys/gals.
 
To check your Mac, go to terminal and type in:
 
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
 
If you're vulnerable (like me), you'll see:
 
vulnerable hello
 
If you're not vulnerable, you'll see:
 
bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' hello
 
[SIZE=13.63636302948px]I don't know what the hell bashes are (other than the couple I've attended with some of you asshats), [/SIZE]
 
[SIZE=13.63636302948px]From what I understand, Linux users have patches available already.  Mac users do not.[/SIZE]
 

MakMan44

stole corsi's dream
SoSH Member
Aug 22, 2009
19,363
From what I can understand, they need direct access to your computer to take advantage of the bug. The Apache HTTP is also vulnerable but I think that's somewhat mitigated on Macs, because newer ones don't allow access to the system preference control. I'm not really sure what that means but I understand it as, if you're not using your Mac as a webserver, you're a little bit safer. Other than that, it seems to be the usual "keep an eye out for suspicious website, downloads and emails" 
 
It also seems like a good idea to update your router's firmware, which is the more likely access point. I'm sure Blacken or someone else will come in completely destroy what I just said, but the above is what I got out of researching. 
 

AlNipper49

Huge Member
Dope
SoSH Member
Apr 3, 2001
44,855
Mtigawi
MakMan44 said:
From what I can understand, they need direct access to your computer to take advantage of the bug. The Apache HTTP is also vulnerable but I think that's somewhat mitigated on Macs, because newer ones don't allow access to the system preference control. I'm not really sure what that means but I understand it as, if you're not using your Mac as a webserver, you're a little bit safer. Other than that, it seems to be the usual "keep an eye out for suspicious website, downloads and emails" 
 
It also seems like a good idea to update your router's firmware, which is the more likely access point. I'm sure Blacken or someone else will come in completely destroy what I just said, but the above is what I got out of researching. 
 
That's a good point if your firewall is linux based and secured poorly.  
 
A lot are.  You're best to check with the manufacturer.  99.9% of home routers are probably fine.
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
MakMan44 said:
From what I can understand, they need direct access to your computer to take advantage of the bug. The Apache HTTP is also vulnerable but I think that's somewhat mitigated on Macs, because newer ones don't allow access to the system preference control. I'm not really sure what that means but I understand it as, if you're not using your Mac as a webserver, you're a little bit safer. Other than that, it seems to be the usual "keep an eye out for suspicious website, downloads and emails" 
 
It also seems like a good idea to update your router's firmware, which is the more likely access point. I'm sure Blacken or someone else will come in completely destroy what I just said, but the above is what I got out of researching.
There is a practicable DHCP attack that a dirty DHCP server can use to run arbitrary code on Macs--and there are rumors that it works on iOS, too.

I would advise not connecting to public wifi networks on either until Apple pushes a patch.


SumnerH said:
Official upstream bash patches (for all supported platforms) have been out for a couple of days now.

http://seclists.org/oss-sec/2014/q3/650
They're not complete patches. My day still sucks.
 

MakMan44

stole corsi's dream
SoSH Member
Aug 22, 2009
19,363
AlNipper49 said:
 
That's a good point if your firewall is linux based and secured poorly.  
 
A lot are.  You're best to check with the manufacturer.  99.9% of home routers are probably fine.
So it's very bad if they can get in, but it's not that easy to get in is what I'm to understand?
 
Blacken said:
There is a practicable DHCP attack that a dirty DHCP server can use to run arbitrary code on Macs--and there are rumors that it works on iOS, too.

I would advise not connecting to public wifi networks on either until Apple pushes a patch.
Thanks Blacken. 
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
The overwhelming majority of routers use shitty CGI scripts for their web interface. If you've enabled public access to your router's config pages, you are probably pwned. If not, you're probably safe.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,900
Alexandria, VA
Blacken said:
The overwhelming majority of routers use shitty CGI scripts for their web interface. If you've enabled public access to your router's config pages, you are probably pwned. If not, you're probably safe.
 
And this is probably true even without the bug in quesiton.  Don't do that.
 

MakMan44

stole corsi's dream
SoSH Member
Aug 22, 2009
19,363
So, maybe a dumb question, but asking anyway: Connecting to my college's wifi? I have an online class and it's impossible for me to get home before it starts, otherwise I wouldn't ask. 
 

HriniakPosterChild

Member
SoSH Member
Jul 6, 2006
14,841
500 feet above Lake Sammammish
Blacken said:
There is a practicable DHCP attack that a dirty DHCP server can use to run arbitrary code on Macs--and there are rumors that it works on iOS, too.

I would advise not connecting to public wifi networks on either until Apple pushes a patch.
 
Connecting what? Is it risky to connect my iPad to to public wifi? My iPhone? Or just my Mac?
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,900
Alexandria, VA
HriniakPosterChild said:
 
Connecting what? Is it risky to connect my iPad to to public wifi? My iPhone? Or just my Mac?
 
AFAIK iOS doesn't ship with bash by default, so unless you have a weird developer toolkit installed or something with bash on it then you should be immune.
 
Android uses ash instead of bash, so it's safe by default as well.
 
 
(iOS = iPhone/iPad)
 

canderson

Mr. Brightside
SoSH Member
Jul 16, 2005
39,447
Harrisburg, Pa.
I ran the Terminal script in the OP and it returned "vulnerability hello".I don't use my Mac update to the latest OSX for a server but do use FileZilla occasionally for freelance work.

Anything specific I need to do? The apache whatever is turned off (ie if I go to "local host" it reruns no pages)?
 

86spike

Currently enjoying "Arli$$"
SoSH Member
Apr 17, 2002
25,082
Procrasti Nation
Blacken said:
The overwhelming majority of routers use shitty CGI scripts for their web interface. If you've enabled public access to your router's config pages, you are probably pwned. If not, you're probably safe.
I have never configured anything on my router other than passwords. Is enabling public access something I would have had to have done actively, or would it have come from Verizon that way?

Follow up: should I pile up all my computers and run over them with the car tonight or can I wait until the morning after my neighbors wake up?
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,900
Alexandria, VA
86spike said:
I have never configured anything on my router other than passwords. Is enabling public access something I would have had to have done actively, or would it have come from Verizon that way?

Follow up: should I pile up all my computers and run over them with the car tonight or can I wait until the morning after my neighbors wake up?
It would not come with public access preconfigured. You're probably safe.
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
SumnerH said:
AFAIK iOS doesn't ship with bash by default, so unless you have a weird developer toolkit installed or something with bash on it then you should be immune.
My understanding is that this is not correct, but I can't find a cite. Rumors and discussion.

Remember that OS X uses bash 3.2 as /bin/sh. I wouldn't be surprised if that's on iOS. A Unix needs a shell for a lot of random shit.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,900
Alexandria, VA
Blacken said:
My understanding is that this is not correct, but I can't find a cite. Rumors and discussion.

Remember that OS X uses bash 3.2 as /bin/sh. I wouldn't be surprised if that's on iOS. A Unix needs a shell for a lot of random shit.
I saw early speculation that ios has bash by default, but more recent speculation that it doesn't. I lean toward the latter but wouldn't be shocked to learn the opposite. The amount of confusion is surprising.

OS x is another story.
 

86spike

Currently enjoying "Arli$$"
SoSH Member
Apr 17, 2002
25,082
Procrasti Nation
Can anybody help me with an explanation on how this could lead to exposure in layman's terms?

In my house I have Verizon Fios internet service with their router.

Here are the internet-connected devices in my home:

2 Macs running OSX
4 iOS devices
A Roku
2 Blu Ray players
A Nintendo Wii
A printer

So if I'm vulnerable how does some Black Hat get to me?

Do I need to download malware? Open a sketchy attachment? Just go on a particular website? Or does the bad guy need to target me randomly from his desk in Putin's crime lab?

Just curious abou the logistics and appreciative of the insight here. Thanks!
 

Yaz4Ever

MemBer
Lifetime Member
SoSH Member
Jul 10, 2004
11,256
MA-CA-RI-AZ-NC
bump
 
Although I started this thread, I still don't have a frigging clue how concerned I should be.  Wife and I have Macbooks, we all have iPhones and iPads.
 

EddieYost

is not associated in any way with GHoff
SoSH Member
Jul 15, 2005
10,746
NH
Yaz4Ever said:
bump
 
Although I started this thread, I still don't have a frigging clue how concerned I should be.  Wife and I have Macbooks, we all have iPhones and iPads.
/Humble brag
 

crystalline

Member
SoSH Member
Oct 12, 2009
5,771
JP
Based on the results of a few minutes of reading, here's an educated guess:
Linux: DHCP is at risk.  Whenever you connect to a wifi network you don't control, someone could spoof the DHCP server and gain control of your system.  Problem.
Android:  Not at risk.  Ships with busybox, not bash.
IPhone/iPad:  Not at risk; bash is reported not to be present.
Mac:  Not at risk for normal users.  DHCP not at risk.  If you run a server, you may have risk associated with HTTP servers and with SSH allowing access other than specified commands (small risk).  If you don't know what the previous two sentences mean, you are not as risk, as far as we know.
 
So far, there is only small real-world risk for users, but the key is "so far".  Bash is very very widely used, and more dangerous exploits may yet be discovered.  (The good news is that most security conscious people try to avoid bash because it is big and security holes are always suspected in big software, so it's less widely used in the most important software. )
I may also have missed some obvious risk that is currently known.
 

Yaz4Ever

MemBer
Lifetime Member
SoSH Member
Jul 10, 2004
11,256
MA-CA-RI-AZ-NC
Ok, so normal people not running web servers are safe? Regular use won't endanger anyone. Torrenting things that aren't applications, regular surfing, email etc all ok?
 

derekson

Member
SoSH Member
Jun 26, 2010
6,243
For anyone else running OS X Yosemite, they did fix this in the new developer and public beta builds released today as well.