blog @spotflux
These are the thoughts and opinions written by the spotflux team and our colleagues.
Show MenuHide Menu

Patching the shellshock bug in OS X

September 25, 2014

The shellshock bug, announced yesterday, has left a lot of sysadmins scrambling to patch their copies of bash.

Patches are readily available for most flavors of Linux, but OS X is lagging behind a bit waiting for Cupertino to put out an update. Unfortunately, manual steps to rebuild the distributed copy of bash require XCode command line tools and can be a little intimidating.

Luckily, there is a slightly easier way, using Homebrew. It requires running some commands in the terminal, but we’ve got full instructions for you.

Testing the Vulnerability

To see if you’re exposed, run the following command in the terminal.

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If your copy of bash is at risk, you will see the following:
vulnerable
hello

If you’ve been successfully patched, you will see this:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
hello

If you’re at risk, continue with these steps to get patched as soon as possible.

All commands should be run in Terminal, and you should make sure you’re using an Administrator account, as we’ll be using sudo.

WARNING: It is possible to break the configuration for OS X if these instructions are followed incorrectly. Worst case, you can be prevented from logging back in entirely. Use these instructions at your own risk. Should you find yourself locked out, you can restore OS X by rebooting and holding CMD+R, which will bring you into the recovery screen. Reinstall OS X and you will get your settings back without losing data.

1. Install Homebrew

Homebrew is a handy package manager for OSX, run the below command to install if you’re not already using it.

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

2. Get the latest version of bash

Run the following to update your Homebrew package lists and get the latest, safe version of bash.

brew update
brew install bash

This will install bash and create a link at /usr/local/bin/bash. However, the default copy of bash (which we want to replace) is located at /bin/bash. So we need to put our new copy of bash in charge.

3. Replace your default shell

First, let’s get rid of the vulnerable copy of bash:

sudo mv /bin/bash /bin/bash.shellshock

Note we’re using sudo, so you may need to enter your password.

This will rename the default bash executable to bash.shellshock. You can always get it back by renaming the file to bash again.

We then need to create a link to our new executable:

sudo ln -s /usr/local/bin/bash /bin/bash

It is important to note that this alias may be replaced on running an OSX update (which is why we changed the shell explicitly).

You can check if the link is still in place with this command:
ls -la /bin/bash
Note the reference to /usr/local/bin/bash.

That should do it! Restart your terminal (exit it and relaunch), then run the test again from earlier:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

And you should see:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
hello

Congratulations! You’re patched. Be sure to reboot to get rid of any bash sessions you didn’t know about.

Author: Tom Elliott