OSX: bash的更新

本文儘可能詳述眼下來講的bash補丁的進展,從如下4個方面解釋:html

  • 最全最新的更新安裝包,:Oct 5爲止的
  • 測試已知的bash漏洞的腳本:更新後可以用來檢測已知bash漏洞的狀況
  • 腳本編譯更新版本號:也可以更新到3.2.56版本號,需要在本地編譯
  • 手動更新:看這個部分,可以具體瞭解眼下狀態。遇到將來的更新。也可以手動本身更新。


1. 最全最新的更新安裝包:git

近期猶他大學(University of Utah)的Richard Glaser公佈了本身開發的一個集成適合於OS X從10.5到10.10的bash更新包。它將bash更新到眼下最新的3.2.56版本號, 相比較Apple官方的3.2.53(1)要信,而且修復了(宣稱的。因爲眼下沒有不少其它的信息顯示56版本號是否真正修復了)那些已知的危急漏洞(後面列出,並有腳本測試)。可以在csdn下載。這裏github

如下是發佈的原文:shell

Here is a OS X installer for the latest official GNU bash release version, 3.2.56 and will be updated to new releases when available. 

The bash is universal runs on 32/64-bit, PowerPC, Intel architectures and supports and has been tested on OS X 10.5 thur OS X 10.10 

http://www.mac-mgrs.utah.edu/ downloads/osx_gnu_bash_ installer.zip 

Our institution is very decentralized and primarily there was a need to apply latest GNU bash patch to non=Apple supported OS’s like OS 10.6/10.5, but for those security conscious or paranoid could use it on supported OS X versions. 

Here is the SHA1 256 checksums 

•        OS X 10.5-10.10 - bash version 3.2.56 

         bed4178f4bdf05ad2d5c396fb3ed97 331e62e35836fae1410e20f0e05a77 c13e 

        •        OS X 10.5-10.10 - sh version 3.2.56 

         f51a83aaad5d15b34753998cb81061 eb63ffe1a28f8876db0a0ea2f04f28 e3b1 

The installer backups current bash install incase you need to revert back to previous version. See installer read me for details. 

Hope this is useful to the community. 

Let me know if you have any suggestions, comments or problems.

2. 測試已知的bash漏洞:xcode

另一個技術人員。編寫了一個檢查眼下可知的bash漏洞的腳本,原腳本可以從這裏得到。bash

爲了方便閱讀。在最後附上。如下是使用該腳本測試上面3.2.56版本號的補丁結果:app

<span style="font-family: Arial, Helvetica, sans-serif;">
$ bashcheck.sh
Testing /bin/bash ...
GNU bash, version 3.2.56(1)-release (x86_64-apple-darwin9)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)</span>


相比較Apple官方的3.2.53(1)的檢測結果:curl

$ ./bashbash.sh 
Testing /bin/bash ... 
GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin14) 

Not vulnerable to CVE-2014-6271 (original shellshock) 
Not vulnerable to CVE-2014-7169 (taviso bug) 
Vulnerable to CVE-2014-7186 (redir_stack bug) 
Test for CVE-2014-7187 not reliable without address sanitizer 
Vulnerable to CVE-2014-6277 (lcamtuf bug #1) [no patch] 
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2) 
Variable function parser inactive, likely safe from unknown parser bugs


3. 本身編譯更新版本號oop

另外,TJ Luoma公佈了一個腳本,它從opensource.apple.com站點下載的最新bash源程序。並從gnu.org上下載各個更新補丁,使用xcode來爲之又一次編譯。post

眼下它也是3.2.56版本號。


4.手動更新


這個是怎樣手動的解釋,具體查看AlBlue的解釋。


--------------------------------------------------

bash-check腳本

#!/bin/bash

warn() {
	if [ "$scary" == "1" ]; then
		echo -e "\033[91mVulnerable to $1\033[39m"
	else
		echo -e "\033[93mFound non-exploitable $1\033[39m"
	fi
}

good() {
	echo -e "\033[92mNot vulnerable to $1\033[39m"
}

[ -n "$1" ] && bash=$(which $1) || bash=$(which bash)
echo -e "\033[95mTesting $bash ..."
echo $($bash --version | head -n 1)
echo -e "\033[39m"

#r=`a="() { echo x;}" $bash -c a 2>/dev/null`
if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m"
	scary=1
elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m"
	scary=0
elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m"
	scary=0
elif [ -n "$(env 'BASH_FUNC_<a>%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [<..>%%, apple], bugs not exploitable\033[39m"
	scary=0
else
	echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m"
	scary=0
fi


r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null`
if [ -n "$r" ]; then
	warn "CVE-2014-6271 (original shellshock)"
else
	good "CVE-2014-6271 (original shellshock)"
fi

cd /tmp;rm echo 2>/dev/null
env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null
if [ -e echo ]; then
	warn "CVE-2014-7169 (taviso bug)"
else
	good "CVE-2014-7169 (taviso bug)"
fi

$($bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>/tmp/bashcheck.tmp)
ret=$?
grep -q AddressSanitizer /tmp/bashcheck.tmp
if [ $? == 0 ] || [ $ret == 139 ]; then
	warn "CVE-2014-7186 (redir_stack bug)"
else
	good "CVE-2014-7186 (redir_stack bug)"
fi


$bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
if [ $?

!= 0 ]; then warn "CVE-2014-7187 (nested loops off by one)" else echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m" fi $($bash -c "f(){ x(){ _;};x(){ _;}<<a;}" 2>/dev/null) if [ $? != 0 ]; then warn "CVE-2014-6277 (lcamtuf bug #1)" else good "CVE-2014-6277 (lcamtuf bug #1)" fi if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then warn "CVE-2014-6278 (lcamtuf bug #2)" elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then warn "CVE-2014-6278 (lcamtuf bug #2)" elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then warn "CVE-2014-6278 (lcamtuf bug #2)" else good "CVE-2014-6278 (lcamtuf bug #2)" fi


bash-fix腳本

#!/bin/zsh -f
# recompile bash -
# 	http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851
#
# From:	Timothy J. Luoma
# Mail:	luomat at gmail dot com
# Date:	2014-09-25, Updated 2014-09-29

NAME="bash-fix.sh"

	# This should match Xcode in many variations, betas, etc.
XCODE=`find /Applications -maxdepth 1 -type d -iname xcode\*.app -print`

if [[ "$XCODE" == "" ]]
then
	echo "$NAME [FATAL]: Xcode is required, but not installed. Please install Xcode from the Mac App Store."

	open 'macappstore://itunes.apple.com/us/app/xcode/id497799835?mt=12'

	exit 1
fi

zmodload zsh/datetime

function timestamp { strftime "%Y-%m-%d--%H.%M.%S" "$EPOCHSECONDS" }
function log { echo "$NAME [`timestamp`]: $@" | tee -a "$LOG" }

function die
{
	echo "\n$NAME [FATAL]: $@"
	exit 1
}

function msg
{
	echo "\n	$NAME [INFO]: $@"
}

TIME=$(strftime "%Y-%m-%d-at-%H.%M.%S" "$EPOCHSECONDS")

LOG="$HOME/Library/Logs/$NAME.$TIME.txt"

[[ -d "$LOG:h" ]] || mkdir -p "$LOG:h"
[[ -e "$LOG" ]]   || touch "$LOG"


cd "$HOME/Desktop" || cd

mkdir -p bash-fix

cd bash-fix

ORIG_DIR="$PWD"

##################################################################################################

msg "Downloading and uncompressing Apple's 'bash' source code..."

curl --progress-bar -fL https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -

EXIT="$?"

if [ "$EXIT" = "0" ]
then
	msg "Successfully downloaded bash source from Apple.com"
else
	die "curl or tar failed (\$EXIT = $EXIT)"

fi

cd bash-92/bash-3.2

msg "CWD is now $PWD"

##################################################################################################

msg "Downloading and applying bash32-052 from gnu.org..."
curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0

EXIT="$?

" if [ "$EXIT" = "0" ] then msg "patch bash32-052 successfully applied" else die "patch bash32-052 FAILED" fi ################################################################################################## msg "Downloading and applying bash32-053 from gnu.org..." curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0 EXIT="$?" if [ "$EXIT" = "0" ] then msg "patch bash32-053 successfully applied" else die "patch bash32-053 FAILED" fi ################################################################################################## msg "Downloading and applying bash32-054 from gnu.org..." curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0 EXIT="$?" if [ "$EXIT" = "0" ] then msg "patch bash32-054 successfully applied" else die "patch bash32-054 FAILED" fi ################################################################################################## msg "Downloading and applying bash32-055 from gnu.org..." curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-055 | patch -p0 EXIT="$?

" if [ "$EXIT" = "0" ] then msg "patch bash32-055 successfully applied" else die "patch bash32-055 FAILED" fi ################################################################################################## msg "Downloading and applying bash32-056 from gnu.org..." curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-056 | patch -p0 EXIT="$?" if [ "$EXIT" = "0" ] then msg "patch bash32-056 successfully applied" else die "patch bash32-056 FAILED" fi ################################################################################################## cd .. msg "CWD is now $PWD" echo -n "$NAME is about to run xcodebuild and its output redirected to $ORIG_DIR/xcodebuild.log. If it does not succeed, check the log for error messages.\n\nThis could take a few minutes. Please wait... " xcodebuild 2>&1 >>| "$ORIG_DIR/xcodebuild.log" EXIT="$?" if [ "$EXIT" = "0" ] then msg "xcodebuild exited successfully." else die "xcodebuild failed (\$EXIT = $EXIT). See $ORIG_DIR/xcodebuild.log for details." exit 1 fi # Play a sound to tell them the build finished [[ -e /System/Library/Sounds/Glass.aiff ]] && afplay /System/Library/Sounds/Glass.aiff if [ -e 'build/Release/bash' ] then msg "Here is the _NEW_ version number for bash (must be 3.2.52(1) or later):" build/Release/bash --version # GNU bash, version 3.2.54(1)-release (x86_64-apple-darwin13) else die "build/Release/bash does not exist. See $PWD/xcodebuild.log for details." fi if [ -e 'build/Release/sh' ] then msg "Here is the _NEW_ version number for sh (must be 3.2.52(1) or later):" build/Release/sh --version # GNU bash, version 3.2.54(1)-release (x86_64-apple-darwin13) else die "build/Release/sh does not exist. See $PWD/xcodebuild.log for details." fi #################################################################################### # # 2014-09-29: disabled test section because it only tests first vulnerability. # 2014-09-29: TODO: Add tests for each vulnerability to verify it was fixed # # $NAME: About to run test of new bash: # # You should see 'hello' but you should NOT see the word 'vulnerable': # # Press Return/Enter to run test: " # # read PROMPT_TO_CONTINUE # # env x='() { :;}; echo vulnerable' build/Release/bash -c 'echo hello' 2>/dev/null echo "\n\n" read "?$NAME: Ready to install newly compiled 'bash' and 'sh'? [Y/n]: " ANSWER case "$ANSWER" in N*|n*) echo "$NAME: OK, not installing" exit 0 ;; esac cat <<EOINPUT $NAME: About to replace the vulnerable versions of /bin/bash and /bin/sh with the new, patched versions. The.$TIME ones will be backed up to /bin/bash.$TIME and /bin/sh.$TIME respectively Please enter your administrator password (if prompted): EOINPUT # This will prompt user for admin password sudo -v ################################################################################################## msg "Moving /bin/bash to /bin/bash.$TIME: " sudo /bin/mv -vf /bin/bash "/bin/bash.$TIME" || die "Failed to move /bin/bash to /bin/bash.$TIME" msg "Installing build/Release/bash to /bin/bash: " sudo cp -v build/Release/bash /bin/bash if [ "$?

" != "0" ] then sudo mv -vf "/bin/bash.$TIME" /bin/bash die "Failed to move build/Release/bash to /bin/bash. Restored /bin/bash.$TIME to /bin/bash" fi ################################################################################################## msg "Moving /bin/sh to /bin/sh.$TIME: " sudo /bin/mv -vf /bin/sh "/bin/sh.$TIME" || die "Failed to move /bin/sh to /bin/sh.$TIME" msg "Installing build/Release/sh to /bin/sh: " sudo cp -v build/Release/sh /bin/sh if [ "$?" != "0" ] then sudo mv -vf "/bin/sh.$TIME" /bin/sh die "Failed to move build/Release/sh to /bin/sh. Restored /bin/sh.$TIME to /bin/sh" fi ################################################################################################## msg "Removing executable bit from /bin/bash.$TIME" sudo /bin/chmod a-x "/bin/bash.$TIME" \ || msg "WARNING: Failed to remove executable bit from /bin/bash.$TIME" msg "Removing executable bit from /bin/sh.$TIME" sudo /bin/chmod a-x "/bin/sh.$TIME" \ || msg "WARNING: Failed to remove executable bit from /bin/sh.$TIME" msg "$NAME has finished successfully." read "?Do you want to move $ORIG_DIR to ~/.Trash/? [Y/n] " ANSWER case "$ANSWER" in N*|n*) echo "$NAME: Not moving $ORIG_DIR." exit 0 ;; *) mv -vn "$ORIG_DIR" "$HOME/.Trash/$ORIG_DIR.$EPOCHSECONDS" exit 0 ;; esac exit # #EOF

相關文章
相關標籤/搜索