shellshock vulnerability test andfix


A major vulnerability was discovered on Bash, affecting OS X

How to check: 
Open Terminal
Type (or copy/paste) the following command line (Verbatim)

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

screen-shot-2017-01-05-at-3-09-42-pm

 

If you system is vulnerable to Shellshock, you will see “vulnerable hello”

screen-shot-2017-01-05-at-3-11-09-pm

If your system is safe from Shellshock, you should see something as:

$ env X=‘() { (a)=>\’ sh -c “echo date”; cat echo sh: X: line 1: syntax error near unexpected token `=’ sh: X: line 1: `’ sh: error importing function definition for `X

How to FIX IT :
In Terminal:
>> Note: Do not type the $ sign, it’s the indication that you have to enter that line in Terminal and execute.
Note: You MUST have Xcode installed
Note: You MUST have Xcode installed
Note: READ the above again

$ mkdir bash-fix 
$ cd bash-fix 
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf - 
$ cd bash-92/bash-3.2 
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0 
$ cd .. 
$ xcodebuild 
$ sudo cp /bin/bash /bin/bash.old 
$ sudo cp /bin/sh /bin/sh.old 
$ build/Release/bash --version # GNU bash, version 3.2.52(1)-release 
$ build/Release/sh --version  # GNU bash, version 3.2.52(1)-release 
$ sudo cp build/Release/bash /bin 
$ sudo cp build/Release/sh /bin
$ sudo -K 

 

Then check the install and version:
$ bash –version

The answer should be:
GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin13) Copyright (C) 2007 Free Software Foundation, Inc.