In the OS X Terminal you run commands in an interpreter called a shell. In general, you open a shell and then specify commands to execute within it; however, researchers have found a long-standing vulnerability in the popular shell called “bash” (the default for user accounts in OS X), where with a clever use of environmental variables for running the bash shell, an attacker can inject code to run in the shell without needing to directly enter it in the shell itself.
This might seem like a problem only for those who use the Terminal, and while for the most part OS X programs and services do not use the Terminal, there are some instances where this vulnerability could potentially be a problem, especially for system configuration and sharing services.
This vulnerability, dubbed “shell shock,” can be seen in OS X and other systems with a Unix terminal, by simply running the following command, which sets up an environmental variable “x” for the shell “bash” that is specified at the end of the command. In this case, the “x” value contains a function, followed by the “echo” command. The “echo” command should technically not execute; however, if you run it on a system that is vulnerable, then it will do so.
env x='() { :ignored function;}; echo this should not show' bash
Generally, these interactions are done in a protected way which limits the scope of what can be accomplished by invoking Bash, but this vulnerability allows for the execution of arbitrary code at the same permissions level as the program receiving the command. This means if you have a service running as root (such as a DHCP configuration routine) that uses this approach for configuration changes, then a malicious DHCP server could technically send commands that could run with full administration privileges on your system.
Keep in mind that this problem not only affects OS X, but also Linux, Unix, and other operating systems, as well as many hardware devices like routers that use the bash shell to run test routines like traceroute and ping.
The environmental variable here (blue) contains a command after the specified function (the parentheses and braces). This variable is passed to the “bash” command (yellow) which executes the hidden command immediately (red arrow), when it should not do so.
If you are concerned about this problem, then for the most part it is still in discovery mode and no known and effective exploits are out for it. You are likely OK if you connect to trusted networks and Web sites, and otherwise adhere to safe computing practices; however, this problem being so widespread means there is ample opportunity for hackers to take advantage of it.
As a result of this, your best bet for now is to simply keep your system and any devices you use fully updated. With the bug being known, and with patches being worked on as you read this, so expect there to be software and firmware updates for OS X, third-party software, as well as routers, printers, and other hardware devices you use.
UPDATE: There is an unofficial fix available from Gnu.org, that can be used to patch the versions of Bash that are included with OS X. See here for details.
All good – my system didn’t show a bash. Hopefully Apple picks up on this vulnerability.
I’m running OS X 10.6.8 Server, mostly for the VPN server, Time Machine, and file sharing. The DHCP server and web server are disabled. Is my system still at risk? And if so, how can I update the version of Bash that came with it? I assume Apple won’t issue a patch for older systems.
Sure wish the Ars Technica writer (and maybe others), hadn’t called them “environmental variables”; they’re “environment variables”, have been forever.
Ars shows a different formulation of the verification test code, slightly different structurally than yours. I hope yours has been tested on known vulnerable and non-vulnerable systems; user comments on Ars indicate that their version has been tested on a number of vulnerable and non-vulnerable systems.
I hope Apple patches this before exploits begin showing up. The echo command executed on my iMac running OS X 10.9.5.
OS X is Unix. And even Linux is, even though they say it is not GNU.