osx 10.6 SL and shellshock

Discussion in 'Mac OS X Server, Xserve, and Networking' started by aicul, Sep 29, 2014.

  1. aicul macrumors 6502a

    Joined:
    Jun 20, 2007
    Location:
    no cars, only boats
    #1
    Hello,

    As some, I run a SL 10.6 server and this has been humming away quite nicely for years.

    Recently there have been comments on ShellShock and that it potentially affects OSX servers, such as 10.6.

    A today, Apple released software updates for Lion, ML, Mav, etc. but not SL.

    Am wondering how I can test if my server is "safe" based on the fundamentals of ShellShock. But this is not my area of expertise. I have tried to discover what shellshock does with BASH but cannot find anything understandable.

    Does anyone have any advice on how to check a server for shellshock.

    I would hate to have to change server (mine runs on a mac mini core duo !!) just for shellshock.

    thanks for input
     
  2. alex0002 macrumors 6502

    Joined:
    Jun 19, 2013
    Location:
    New Zealand
    #2
    There are some checks that can be done on the command line and if you run a web server, there is also a web site checker. Both can be found here:

    https://shellshocker.net/
     
  3. aicul thread starter macrumors 6502a

    Joined:
    Jun 20, 2007
    Location:
    no cars, only boats
    #3
    Hi,

    Thanks and tried the tests; but they give results that are unclear. Ie first test
    it gives both results
    I'm supposing I should get either one of the 2 lines; but not both...

    Also the website shocker (https://shellshocker.net) test indicates
    which makes me think there is no vulnerability.

    As I am no specialist, I'd rather not start installing/updating from non-standard Apple without a precise reason to do so.

    rant: how I wish hackers were dealt with globally...
     
  4. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #4
    You'd be thinking wrong. These issues in bash date back roughly 20 years. What services are you running on the server? Your chances of exposure are very low if you're not running a web server and don't have SSH enabled.
     
  5. aicul thread starter macrumors 6502a

    Joined:
    Jun 20, 2007
    Location:
    no cars, only boats
    #5
    hi

    Ok noted, so if

    I do not use SSH but run a wiki server.
    And the server requires user login.

    Where does that put the status ?

    I also checked the server logs and could not see anything "shock"ing...

    Ps: if this is old, why all the houpla then ?
     
  6. unplugme71 macrumors 68030

    Joined:
    May 20, 2011
    Location:
    Earth
    #6
    if your test came back

    vulnerable
    this is a test

    you are vulnerable. You may be able to patch it yourself.
     
  7. crazzyeddie macrumors 68030

    crazzyeddie

    Joined:
    Dec 7, 2002
    Location:
    Florida, USA
    #7
    This is not true if the bash shell is not exposed via a service (SSH or otherwise) to the network/Internet.
     
  8. aicul thread starter macrumors 6502a

    Joined:
    Jun 20, 2007
    Location:
    no cars, only boats
    #8
    So my confusion remains...

    I really would think apple should produce a patch; or provide indications as to how to proceed. Servers tend to be those things one sets up and lets run (... nearly to death).

    And as much as I appreciate "tests" that demonstrate vulnerability, it would be good to understand why there is a vulnerability.

    I've checked the logs again, and see nothing above the standard. Here, I assume they would see the hackers.

    Maybe I'll just pretend there is nothing to it; and if someone hacks there server I may have my seconds of fame when some photos of me start circulating ...

    :confused:
     
  9. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #9
    There is a vulnerability because an incoming HTTP request can trick the server into executing commands. See the explanation here:
    http://en.wikipedia.org/wiki/Shellshock_(software_bug)

    Basically, the attacker provides a maliciously crafted user agent string in the HTTP request. This string ends up being passed in an environment variable (HTTP_USER_AGENT), per the CGI standard operating procedure. If the CGI request handler is a bash script, or something that executes system(3) (a C function that leads to a shell), then that handler can be tricked into executing commands embedded in the user-agent string.

    There are also SSH and DHCP-client vulnerabilities, as described in the linked article.

    In short, the targeted server is being tricked into doing something it wouldn't and shouldn't normally do, which is to execute arbitrary commands given to it in a request.
     
  10. aicul thread starter macrumors 6502a

    Joined:
    Jun 20, 2007
    Location:
    no cars, only boats
    #10
    Thanks CHOWN33. So since I do not use Ssh, nor DHCP, nor a C-handler but simply a Wiki server (Javascript I believe) then I get away with doing ... nothing ?
     
  11. ghanwani macrumors 6502a

    Joined:
    Dec 8, 2008
    #11
    I'm kind of hurt that we don't have a subforum for 10.6 (I'm running 10.6.8). Should I update to one of the newer versions or will that ruin the performance on my old machine? (Specs in signature.)

    Anyway, the reason I'm responding to this thread is that there are 5 or 6 vulnerabilities and they can be addressed by updating bash manually. I followed the instructions on this blog:
    http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html

    Anyone else do something similar?
     

Share This Page