Q: CVE-2014-6271 bash vulnerability

This is unfortunately inaccurate.

For exampe, there are exploits in the wild that leverage DHCP. Suddenly the coffee shop wifi just got a lot more dangerous...

Yes-- but who aside from Apple is trusted enough to do that?

"Hi, you don't know me, but use this file instead. It's probably fine."

Quinnypig wrote:

 

there are exploits in the wild that leverage DHCP.

Such as?

zdnet states:

He also warned that DHCP services are also vulnerable, as reported in the initial advisory. "Consequently, even though my light scan found only 3,000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable — once the worm gets behind a firewall and runs a hostile DHCP server, that would "game over" for large networks."

One PoC is available at:

https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

The key word in that quote is "server". If you aren't running a server, there is no issue.

Note that the server is hostile in this example.

The dhcp *client* is what's vulnerable, as it shells out to bash to run configuration scripts.

As per: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-va riables-code-injection-attack/

• DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.

And of course, OS X is very frequently a DHCP client.

Well isn't that a nifty trick. Although that is a pretty unlikely scenario, it is entirely out of the control of the user. I stand corrected. Thanks!

• DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.

The question is, though, does the vanilla dhcp client in OS X fork bash (or sh, which is bash on OS X) shells when configuring a network connection?

No. Only in 10.0.x can the dhcp client start a shell, and 10.0.x shipped with tcsh instead of bash. So OS X and iOS are thankfully not vulnerable unless I've made a mistake in parsing the source code—more on my blog here.

Thanks, I'll have a look at your blog. This was really worrying me but I don't have much time for digging into the code today, so you saved me some time

There is also an updated CVE-2014-7169

1. www.us-cert.gov/ncas/alerts/TA14-268A

Seem that the original patches from OS vendors did not cover all points.

Has anyone seen the an update from Apple on this?

purwin wrote:

 

Has anyone seen the an update from Apple on this?

Here is Apple's unofficial statement to its unofficial company blogger: http://www.loopinsight.com/2014/09/26/apples-statement-on-the-unix-bash-vulnerab ility/

OK, looks like we have a fix, resolving both vulnerabilities:

• http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid -shellshock-the-remote-exploit-cve-2014-6271-an/146851#146851
• or here in clean form: http://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html

Still waiting for Apple to come up with something. At least this allows me to bring my 10.6.8 web servers back online.