osx 10.6 SL and shellshock

aicul

macrumors 6502a
Original poster
Jun 20, 2007
809
7
no cars, only boats
Hello,

As some, I run a SL 10.6 server and this has been humming away quite nicely for years.

Recently there have been comments on ShellShock and that it potentially affects OSX servers, such as 10.6.

A today, Apple released software updates for Lion, ML, Mav, etc. but not SL.

Am wondering how I can test if my server is "safe" based on the fundamentals of ShellShock. But this is not my area of expertise. I have tried to discover what shellshock does with BASH but cannot find anything understandable.

Does anyone have any advice on how to check a server for shellshock.

I would hate to have to change server (mine runs on a mac mini core duo !!) just for shellshock.

thanks for input
 

aicul

macrumors 6502a
Original poster
Jun 20, 2007
809
7
no cars, only boats
Hi,

Thanks and tried the tests; but they give results that are unclear. Ie first test
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
it gives both results
vulnerable
this is a test
I'm supposing I should get either one of the 2 lines; but not both...

Also the website shocker (https://shellshocker.net) test indicates
hmm... (HTTP/1.1 200 OK): Possibly vulnerable. This could mean that the server is not at all vulnerable, or we just couldn't detect it as being vulnerable. We are working on an update to this scanner that will allow for a deeper scan.
which makes me think there is no vulnerability.

As I am no specialist, I'd rather not start installing/updating from non-standard Apple without a precise reason to do so.

rant: how I wish hackers were dealt with globally...
 

chrfr

macrumors G3
Jul 11, 2009
9,711
3,570
Also the website shocker (https://shellshocker.net) test indicates
which makes me think there is no vulnerability.
You'd be thinking wrong. These issues in bash date back roughly 20 years. What services are you running on the server? Your chances of exposure are very low if you're not running a web server and don't have SSH enabled.
 

aicul

macrumors 6502a
Original poster
Jun 20, 2007
809
7
no cars, only boats
hi

Ok noted, so if

I do not use SSH but run a wiki server.
And the server requires user login.

Where does that put the status ?

I also checked the server logs and could not see anything "shock"ing...

Ps: if this is old, why all the houpla then ?
 

unplugme71

macrumors 68030
May 20, 2011
2,809
750
Earth
if your test came back

vulnerable
this is a test

you are vulnerable. You may be able to patch it yourself.
 

aicul

macrumors 6502a
Original poster
Jun 20, 2007
809
7
no cars, only boats
So my confusion remains...

I really would think apple should produce a patch; or provide indications as to how to proceed. Servers tend to be those things one sets up and lets run (... nearly to death).

And as much as I appreciate "tests" that demonstrate vulnerability, it would be good to understand why there is a vulnerability.

I've checked the logs again, and see nothing above the standard. Here, I assume they would see the hackers.

Maybe I'll just pretend there is nothing to it; and if someone hacks there server I may have my seconds of fame when some photos of me start circulating ...

:confused:
 

chown33

Moderator
Staff member
Aug 9, 2009
8,818
5,226
vertical
And as much as I appreciate "tests" that demonstrate vulnerability, it would be good to understand why there is a vulnerability.
There is a vulnerability because an incoming HTTP request can trick the server into executing commands. See the explanation here:
http://en.wikipedia.org/wiki/Shellshock_(software_bug)

Basically, the attacker provides a maliciously crafted user agent string in the HTTP request. This string ends up being passed in an environment variable (HTTP_USER_AGENT), per the CGI standard operating procedure. If the CGI request handler is a bash script, or something that executes system(3) (a C function that leads to a shell), then that handler can be tricked into executing commands embedded in the user-agent string.

There are also SSH and DHCP-client vulnerabilities, as described in the linked article.

In short, the targeted server is being tricked into doing something it wouldn't and shouldn't normally do, which is to execute arbitrary commands given to it in a request.
 

aicul

macrumors 6502a
Original poster
Jun 20, 2007
809
7
no cars, only boats
Thanks CHOWN33. So since I do not use Ssh, nor DHCP, nor a C-handler but simply a Wiki server (Javascript I believe) then I get away with doing ... nothing ?
 

ghanwani

macrumors 68000
Dec 8, 2008
1,846
1,190
I'm kind of hurt that we don't have a subforum for 10.6 (I'm running 10.6.8). Should I update to one of the newer versions or will that ruin the performance on my old machine? (Specs in signature.)

Anyway, the reason I'm responding to this thread is that there are 5 or 6 vulnerabilities and they can be addressed by updating bash manually. I followed the instructions on this blog:
http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html

Anyone else do something similar?
 
  • Like
Reactions: B S Magnet
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.