osx 10.6 SL and shellshock

Discussion in 'Mac OS X Server, Xserve, and Networking' started by aicul, Sep 29, 2014.

  1. aicul macrumors 6502a

    Jun 20, 2007
    no cars, only boats

    As some, I run a SL 10.6 server and this has been humming away quite nicely for years.

    Recently there have been comments on ShellShock and that it potentially affects OSX servers, such as 10.6.

    A today, Apple released software updates for Lion, ML, Mav, etc. but not SL.

    Am wondering how I can test if my server is "safe" based on the fundamentals of ShellShock. But this is not my area of expertise. I have tried to discover what shellshock does with BASH but cannot find anything understandable.

    Does anyone have any advice on how to check a server for shellshock.

    I would hate to have to change server (mine runs on a mac mini core duo !!) just for shellshock.

    thanks for input
  2. alex0002 macrumors 6502

    Jun 19, 2013
    New Zealand
    There are some checks that can be done on the command line and if you run a web server, there is also a web site checker. Both can be found here:

  3. aicul thread starter macrumors 6502a

    Jun 20, 2007
    no cars, only boats

    Thanks and tried the tests; but they give results that are unclear. Ie first test
    it gives both results
    I'm supposing I should get either one of the 2 lines; but not both...

    Also the website shocker (https://shellshocker.net) test indicates
    which makes me think there is no vulnerability.

    As I am no specialist, I'd rather not start installing/updating from non-standard Apple without a precise reason to do so.

    rant: how I wish hackers were dealt with globally...
  4. chrfr macrumors 604

    Jul 11, 2009
    You'd be thinking wrong. These issues in bash date back roughly 20 years. What services are you running on the server? Your chances of exposure are very low if you're not running a web server and don't have SSH enabled.
  5. aicul thread starter macrumors 6502a

    Jun 20, 2007
    no cars, only boats

    Ok noted, so if

    I do not use SSH but run a wiki server.
    And the server requires user login.

    Where does that put the status ?

    I also checked the server logs and could not see anything "shock"ing...

    Ps: if this is old, why all the houpla then ?
  6. unplugme71 macrumors 68030

    May 20, 2011
    if your test came back

    this is a test

    you are vulnerable. You may be able to patch it yourself.
  7. crazzyeddie macrumors 68030


    Dec 7, 2002
    Florida, USA
    This is not true if the bash shell is not exposed via a service (SSH or otherwise) to the network/Internet.
  8. aicul thread starter macrumors 6502a

    Jun 20, 2007
    no cars, only boats
    So my confusion remains...

    I really would think apple should produce a patch; or provide indications as to how to proceed. Servers tend to be those things one sets up and lets run (... nearly to death).

    And as much as I appreciate "tests" that demonstrate vulnerability, it would be good to understand why there is a vulnerability.

    I've checked the logs again, and see nothing above the standard. Here, I assume they would see the hackers.

    Maybe I'll just pretend there is nothing to it; and if someone hacks there server I may have my seconds of fame when some photos of me start circulating ...

  9. chown33 macrumors 604

    Aug 9, 2009
    descending into the Maelström
    There is a vulnerability because an incoming HTTP request can trick the server into executing commands. See the explanation here:

    Basically, the attacker provides a maliciously crafted user agent string in the HTTP request. This string ends up being passed in an environment variable (HTTP_USER_AGENT), per the CGI standard operating procedure. If the CGI request handler is a bash script, or something that executes system(3) (a C function that leads to a shell), then that handler can be tricked into executing commands embedded in the user-agent string.

    There are also SSH and DHCP-client vulnerabilities, as described in the linked article.

    In short, the targeted server is being tricked into doing something it wouldn't and shouldn't normally do, which is to execute arbitrary commands given to it in a request.
  10. aicul thread starter macrumors 6502a

    Jun 20, 2007
    no cars, only boats
    Thanks CHOWN33. So since I do not use Ssh, nor DHCP, nor a C-handler but simply a Wiki server (Javascript I believe) then I get away with doing ... nothing ?
  11. ghanwani macrumors 65816

    Dec 8, 2008
    I'm kind of hurt that we don't have a subforum for 10.6 (I'm running 10.6.8). Should I update to one of the newer versions or will that ruin the performance on my old machine? (Specs in signature.)

    Anyway, the reason I'm responding to this thread is that there are 5 or 6 vulnerabilities and they can be addressed by updating bash manually. I followed the instructions on this blog:

    Anyone else do something similar?

Share This Page