CVE-2014-6271 bash vulnerability

Yes-- but who aside from Apple is trusted enough to do that?

"Hi, you don't know me, but use this file instead. It's probably fine."

Quinnypig wrote:

there are exploits in the wild that leverage DHCP.

Such as?

zdnet states:

He also warned that DHCP services are also vulnerable, as reported in the initial advisory. "Consequently, even though my light scan found only 3,000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable — once the worm gets behind a firewall and runs a hostile DHCP server, that would "game over" for large networks."

One PoC is available at:

https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

The key word in that quote is "server". If you aren't running a server, there is no issue.

Note that the server is hostile in this example.

The dhcp *client* is what's vulnerable, as it shells out to bash to run configuration scripts.

As per: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-va riables-code-injection-attack/

DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.

And of course, OS X is very frequently a DHCP client.

Well isn't that a nifty trick. Although that is a pretty unlikely scenario, it is entirely out of the control of the user. I stand corrected. Thanks!

DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.

The question is, though, does the vanilla dhcp client in OS X fork bash (or sh, which is bash on OS X) shells when configuring a network connection?

No. Only in 10.0.x can the dhcp client start a shell, and 10.0.x shipped with tcsh instead of bash. So OS X and iOS are thankfully not vulnerable unless I've made a mistake in parsing the source code—more on my blog here.

Thanks, I'll have a look at your blog. This was really worrying me but I don't have much time for digging into the code today, so you saved me some time 🙂

There is also an updated CVE-2014-7169

www.us-cert.gov/ncas/alerts/TA14-268A

Seem that the original patches from OS vendors did not cover all points.

Has anyone seen the an update from Apple on this?

purwin wrote:

Has anyone seen the an update from Apple on this?

Here is Apple's unofficial statement to its unofficial company blogger: http://www.loopinsight.com/2014/09/26/apples-statement-on-the-unix-bash-vulnerab ility/

OK, looks like we have a fix, resolving both vulnerabilities:

• http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid -shellshock-the-remote-exploit-cve-2014-6271-an/146851#146851
• or here in clean form: http://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html

Still waiting for Apple to come up with something. At least this allows me to bring my 10.6.8 web servers back online.

OK. Some details, AFAIK:

• The OS X dhcp client is an Apple-written package, and is reportedly not vulnerable to rogue dhcp servers. There's a proof-of-concept rogue dhcp server available, so you can verify vulnerable clients locally.
• bash-based Apache CGI scripts are vulnerable. Very few folks have those bash scripts around. Check your local system.
• local privilege escalations are possible, so folks with command line login access can get root. On most Macs, it's usually only admins and support folks and occasionally the end-user that are accessing the command line anyway, and those folks already have root.

Current list of "Shellshock" bash-related CVEs:

• CVE-2014-6271
• CVE-2014-7169
• CVE-2014-7186
• CVE-2014-7187

There are issues for folks with local bash access. But then folks with local access can toss a fork bomb at your computer, or fill your disks, or otherwise cause you problems. As for remote access, you need to have Apache or another web server running or some other way to get at some local bash scripts (captive bash logins or software using scripts and AJAX), and you need to have some bash scripts around to exploit, so... I've checked for scripts, set up some filters, and am going to wait for Apple to issue a patch.

As for the more general mess, it's not OS X. It's likely embedded devices running vulnerable versions of bash. These can include NAS devices, network load balancers, and other such gizmos. OS X client is not likely vulnerable without locally having opened up remote (web, command line, etc) access, and OS X Server vulnerabilities are presently apparently quite limited, but there are reportedly shellshock-based bugs in (for instance) the F5 BIG-IP load balancer web administration.

If you have a decent firewall in front of your network and if haven't opened ports (save via VPN) through that firewall, then nobody can even get at your Macs.