Shellshock Bash Remote Exploit Fix for Mac OS X

Posted by Tanmoy

Today, in social media, I saw an article, How To Check If Your Mac or Linux Machine Is Vulnerable to Shellshock. That drew my attention and had a little study.

In a recent security filing CVE-2014-6271, a remote exploit has been discovered that can potentially be used to execute arbitrary code on the environment variables that are passed to the son process. It's the most harmful vulnerability found after heartbleed bug. If you're using a Mac or Linux machine, you're really in a security risk. Personally, I use Mac OS X (Yosemite Public Beta 3) right now and as a developer, I know the risk. So a fix was really important. The saddest part was Apple didn't event make any comment on it. So I feel the urge to find a solution. However, I'm now secured and want to help you.

Check Status:

First, check if your machine is vulnerable by issuing the following command in terminal.

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If your machine is safe, you'll get an output like this, otherwise start fixing your machine.

 

$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

Pre-Requirements:
You must know root password (mostly account password of your Mac) and Xcode installed.

How To Fix:
Check your bash version, issue bash --version. You'll probably get 3.2.51.

Now just copy-paste these line and wait (You've to provide you account password to continue).


cd ~/Downloads
mkdir bash-fix && cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
cd ..
xcodebuild
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
build/Release/bash --version
build/Release/sh --version
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin

Okay, now, again use bash --version. And you should get 3.2.52. If yes, congratulations. You're secured. Follow "Check Status" section to be sure.

Thanks for reading :)

UpWork Status

Project Competed 140+
Hour Worked 1750+
Overall Rating
★★★★★

Do you I'm one of the TOP Rated freelancer? Check my UpWork Profile.

Incoming Number

As an outsource developer, I receive numerous calls from USA. I've a USA phone number and can receive call from here. Check out Virtual Phone service from AppliPlus

© 2010-2016, All rights reserved