osx 10.6 SL and shellshock

[aicul]

Hello,

As some, I run a SL 10.6 server and this has been humming away quite nicely for years.

Recently there have been comments on ShellShock and that it potentially affects OSX servers, such as 10.6.

A today, Apple released software updates for Lion, ML, Mav, etc. but not SL.

Am wondering how I can test if my server is "safe" based on the fundamentals of ShellShock. But this is not my area of expertise. I have tried to discover what shellshock does with BASH but cannot find anything understandable.

Does anyone have any advice on how to check a server for shellshock.

I would hate to have to change server (mine runs on a mac mini core duo !!) just for shellshock.

thanks for input

 

[alex0002]

There are some checks that can be done on the command line and if you run a web server, there is also a web site checker. Both can be found here:

https://shellshocker.net/

 

[aicul]

Hi,

Thanks and tried the tests; but they give results that are unclear. Ie first test

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

it gives both results

vulnerable
this is a test

I'm supposing I should get either one of the 2 lines; but not both...

Also the website shocker (https://shellshocker.net) test indicates

hmm... (HTTP/1.1 200 OK): Possibly vulnerable. This could mean that the server is not at all vulnerable, or we just couldn't detect it as being vulnerable. We are working on an update to this scanner that will allow for a deeper scan.

which makes me think there is no vulnerability.

As I am no specialist, I'd rather not start installing/updating from non-standard Apple without a precise reason to do so.

rant: how I wish hackers were dealt with globally...

 

[chrfr]

Also the website shocker (https://shellshocker.net) test indicates
which makes me think there is no vulnerability.

You'd be thinking wrong. These issues in bash date back roughly 20 years. What services are you running on the server? Your chances of exposure are very low if you're not running a web server and don't have SSH enabled.

 

[aicul]

hi

Ok noted, so if

I do not use SSH but run a wiki server.
And the server requires user login.

Where does that put the status ?

I also checked the server logs and could not see anything "shock"ing...

Ps: if this is old, why all the houpla then ?

 

[unplugme71]

if your test came back

vulnerable
this is a test

you are vulnerable. You may be able to patch it yourself.

 

[crazzyeddie]

if your test came back

vulnerable
this is a test

you are vulnerable. You may be able to patch it yourself.

This is not true if the bash shell is not exposed via a service (SSH or otherwise) to the network/Internet.

 

[aicul]

So my confusion remains...

I really would think apple should produce a patch; or provide indications as to how to proceed. Servers tend to be those things one sets up and lets run (... nearly to death).

And as much as I appreciate "tests" that demonstrate vulnerability, it would be good to understand why there is a vulnerability.

I've checked the logs again, and see nothing above the standard. Here, I assume they would see the hackers.

Maybe I'll just pretend there is nothing to it; and if someone hacks there server I may have my seconds of fame when some photos of me start circulating ...

 

[chown33]

And as much as I appreciate "tests" that demonstrate vulnerability, it would be good to understand why there is a vulnerability.

There is a vulnerability because an incoming HTTP request can trick the server into executing commands. See the explanation here:
http://en.wikipedia.org/wiki/Shellshock_(software_bug)

Basically, the attacker provides a maliciously crafted user agent string in the HTTP request. This string ends up being passed in an environment variable (HTTP_USER_AGENT), per the CGI standard operating procedure. If the CGI request handler is a bash script, or something that executes system(3) (a C function that leads to a shell), then that handler can be tricked into executing commands embedded in the user-agent string.

There are also SSH and DHCP-client vulnerabilities, as described in the linked article.

In short, the targeted server is being tricked into doing something it wouldn't and shouldn't normally do, which is to execute arbitrary commands given to it in a request.

 

[aicul]

Thanks CHOWN33. So since I do not use Ssh, nor DHCP, nor a C-handler but simply a Wiki server (Javascript I believe) then I get away with doing ... nothing ?

 

[ghanwani]

I'm kind of hurt that we don't have a subforum for 10.6 (I'm running 10.6.8). Should I update to one of the newer versions or will that ruin the performance on my old machine? (Specs in signature.)

Anyway, the reason I'm responding to this thread is that there are 5 or 6 vulnerabilities and they can be addressed by updating bash manually. I followed the instructions on this blog:
http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html

Anyone else do something similar?