How To:

Every Mac Is Vulnerable to the Shellshock Bash Exploit: Here's How to Patch OS X

Heartbleed, move over. There's a new bug in town, and this time it's also affecting Mac and Linux computers. It's called Shellshock (its original official title is CVE-2014-6271), and it's currently got a 10 out of 10 severity rating over at the National Cyber Awareness System. While some updates have been issued to fix this bug, they were incomplete, and your system is probably still vulnerable, as it has been for the last probably 20 years.

First Update - 9/26/2014 (Bash Version 3.2.53)

A new patch addresses an additional attack vector known as CVE-2014-7169.

Second Update - 9/29/2014 (Bash Version 3.2.53)

Apple released an "official" bash update today, and the process is much simpler (just download the .dmg, open the .pkg file, and use their Installer tool) than our manual instructions below because there are no Terminal commands or anything.

We've just found out that Apple's patch, while it's listed as bash version 3.2.53, patches the first two initial vulnerabilities and the subsequent ones (see "Third Update" below for info on subsequent exploits).

If you're using Yosemite or a system older than Lion, please proceed with our instructions below on manually updating to bash version 3.2.57 using Terminal. Otherwise, Apple's 3.2.53 patch will secure you from most known vulnerabilities; you can download it directly from Apple for:

Installing this version will overwrite any changes you made manually when using our guide before—it just replaces the files.

Again, if you're on Yosemite, or a version of OS X that's older than Lion, keep reading to see how to manually patch bash for OS X.

Third Update - 10/08/2014 (Bash Version 3.2.57)

Several new vulnerabilities have been reported in the weeks following the shellshock discovery. While these are more difficult to exploit as they involve a memory overflow, it would be wise to patch them, too. We've updated our instructions below to include the newest patch.

If you followed these instructions before 10:00 a.m. PDT on October 8th, 2014, please delete your bash-fix directory (you can find it in Users -> Username via the Finder) and follow all of the steps below again (starting with Step #1) to ensure that your system is fully patched. If you did not already update manually, then do not delete the bash-fix directory (you probably don't even have one).

If you updated using Apple's patch listed above, you do not need to manually update.

What Is Bash?

Bash is a command-line shell used in many Linux- and Unix-based operating systems, including Mac OS X. If bash is the default system shell on your computer, it can be used by remote hackers for network-based attacks. With a simple script, a hacker can launch programs or enable features on your computer without any passwords needed and without your knowledge. They could access your files, copy confidential information, delete data, run programs, and more.

While the likelihood of your personal Mac being targeted by an attack is relatively small, it's still a big issue that will hopefully get a real and working patch soon. Until then, there are a few things you can do.

Testing for Vulnerability #1

In a Terminal window, type in the following command into the shell, followed by the Enter key. Terminal can be found in Utilities in your Applications folders, or via a quick Spotlight search.

  • env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The Good Result

If your system is not vulnerable to the Shellshock bug, it will return something similar to the below output.

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

The Bad Result

If your system is indeed vulnerable to Shellshock, you'll see the following instead.

vulnerable
this is a test

Testing for Vulnerability #2 (Added 9/26/2014)

If you pass the first test, use the following test to see if you're vulnerable from the second attack vector, which was discovered on Thursday.

  • env X='(){(a)=>\' bash -c "echo date"; cat echo; rm -f echo

The Good Result

If your system is fine, you'll see something like the following (without any printout of the current date and time).

date
cat: echo: No such file or directory

The Bad Result

If your system is indeed vulnerable to the second attack vector, you'll see the following instead.

date
<The Current Date and Time>

Testing for Vulnerability #3/4 (Added 9/29/2014)

There are no tests yet to check for these new vulnerabilities. Just follow the instructions below to update again and you should be in the clear.

Is There an Update Yet?

Many Linux distros have already released patches for Shellshock (though they were mostly incomplete), but Mac OS X has not received anything yet, and Apple hasn't even commented on the issue. There was a recent 10.9.5 update for Mavericks, but it has nothing pertaining to this issue.

If you're worried, though, there is a way to manually update your GNU bash version to a more secure one, thanks to some users over at StackExchange.

Check Your Current Bash Version

To see what version bash you have installed on your Mac, in a Terminal window, enter the following command (followed by the Enter key) into the shell.

  • bash --version

If you get GNU bash, version 3.2.51(1)-release, then you'll want to manually update to the newest version of bash 3.2, which is 3.2.57. Also, if you've already used this guide to update to 3.2.52(1)-release or 3.2.53(1)-release, then you'll want to perform everything below again to make sure you're fully protected.

There are newer versions of bash out there, but Mac OS X runs off the 3.2 branch. If you're using Linux, you'll want to make sure the patch you download matches the version of bash you're using. The latest patches for all major versions of bash (including 3.0, 3.1, 3.2, 4.0, 4.1, 4.2, and 4.3) can be found here.

Manually Updating Bash - Initial Requirements

You can manually compile the newest bash version (3.2.57) using the below instructions, but you have to have Apple's Xcode installed on your Mac for this to work. If you don't have it, follow the instructions in the Prerequisite Check section below.

If you don't want to update bash, there is a workaround provided by Red Hat, but it hasn't been tested fully, so I wouldn't recommend it.

Prerequisite Check

You'll need to make sure you have Xcode installed, and have agreed to Apple's terms. For older Macs, you'll also need to make sure you have all the command line tools.

You can download Xcode for free from the Mac App Store.

If you're on an older version of Mac OS X and Xcode isn't available for you in the Mac App Store, you can download older versions by searching for the proper version number after logging into Apple's developer portal here with your Apple ID. If you're on Mac OS X 10.7 or 10.8, search for "Xcode 4.6.3" in the Downloads for Apple Developers search box on the left side of the page.

Once you've installed Xcode, launch it from your Applications folder and agree to Apple's license agreement (the initial launch may take a while). After that, you'll want to confirm that you have all of the command line tools. To do so, do the following:

  1. With Xcode open, click the Xcode menu in your top menu bar.
  2. Click Preferences.
  3. Click the Downloads tab.
  4. Click Install next to the Command Line Tools in the list of downloads.

Note: If you don't see "Command Line Tools" in the downloads tab, then that means you've already got them and are ready to go!

Once done, you have everything you need to patch your system.

Step 1: Download & Compile the Patches

Once you've confirmed you have Xcode installed, open Terminal again and enter the following commands. Each bullet point is one command, so make sure you copy the full line in each bullet point (minus the bullet, of course).

This process may take a while, and you'll see a lot of text appearing in the Terminal window. It's just Xcode compiling the new version of bash on your system. Once it's done, it'll say "BUILD SUCCEEDED" and you'll see a Terminal prompt again.

Step 2: Back Up Your Current Version (Just in Case)

Just in case something goes wrong, it's a good idea to back up your current version of bash. That said, if you already did this step in a previous attempt to patch your system, you can skip it as you already have a backup. You can do so by entering the following two commands in Terminal.

Note that you'll likely be prompted for a password when doing this step. If so, use the same password you use to log in to your Mac. You will not see your password in Terminal as you type, so it may take you few attempts if you have a complicated password.

  • sudo cp /bin/bash /bin/bash.old
  • sudo cp /bin/sh /bin/sh.old

You won't see any confirmation, but it'll work, and if something goes wrong after Step #5 below, you can get back your old un-patched version of bash by reversing the above copy commands, to copy the ".old" copies back over their original files (without the ".old" part).

Step 3: Verify the Version of Your New Build

Enter the following commands in Terminal to verify you've got the new version of the bash build on your computer.

  • build/Release/bash --version
  • build/Release/sh --version

The output of these commands should confirm for you that the build version of bash is 3.2.57(1)-release.

Step 4: Replace Your Old Bash with the Patched Version

Almost done. You just have to copy the new version of bash over your old version. Do so with the following Terminal commands.

  • sudo cp build/Release/bash /bin
  • sudo cp build/Release/sh /bin

If you want to verify that you have the newest version as your default bash, just run the check bash version command again.

  • bash --version

And that's it. Now just try out the test again and if it comes back with the good result (i.e., not the one that says "vulnerable"), then you're golden.

  • env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

And run the second test to confirm the current date and time don't print out:

  • env X='(){(a)=>\' bash -c "echo date"; cat echo; rm -f echo

If the date does print out again, first check your user home directory to see if a file called "echo" was created when you ran the test the first time. If so, delete it and run the test again. If the date still prints out, chances are you missed part of the updated Step #1 above. If you ever think you might of messed up a command, you can always start over by deleting your bash-fix folder and starting again from Step #1. Also note that you can delete the bash-fix folder if you're all good, too, because it's just a temporary folder.

For Homebrew or Macports Users

If you use Homebrew or Macports, you can get instructions on updating bash over at StackExchange.

157 Comments

I ran through your walkthrough and I get down to the part where I put in, xcodebuild. It told me to do sudo, then agree etc. I then run it again and it gives me this:

* BUILD FAILED *

The following build commands failed:
PhaseScriptExecution ostype.h build/bash.build/Release/ostype.h.build/Script-59DC3C521120DC9C00B033EC.sh
(1 failure)

Good news is nothing you did can't be reversed. Sounds like super user permissions may have timed out mid-build and that screwed things up. You can start over by deleting your bash-fix folder (it'll be in your user account's home directory... you should be able to find that in finder) and then open a new terminal window and follow the instructions from the beginning, with just one change... Since some part of the build needs su permissions on your system, when you get to the xcodebuild command, type sudo xcodebuild instead and enter your password when prompted.

If that doesn't work, let us know what version of OS X you're using, along with what you see when you type bash --version.

Thanks for the fast reply, I tried again and it did not work.

I am running OSX 10.9.1
and my bash is: GNU bash, version 3.2.51(1)-release (x8664-apple-darwin13)

If you downloaded Xcode specifically for this purpose, have you tried opening it first to make sure it's correctly installed? I believe you have to enter in your admin password after installing and opening Xcode for the first time.

Yeah I has used it briefly for another project, and i've opened it again just now to triple check. sadly nothing new haha

Hmm. I'm not certain what's causing it to error out. You might try downloading the latest version of Xcode, but I'm not sure that'll work either. You may need to wait for Apple's official patch to come out. That said, in order for this exploit to affect you, you'd have to be running a service that accepts external connections (such as ssh, telnet, or a web server), or install an app that's malicious (or accepts external connections), so it's unlikely a Mac used at home for say, browsing the web and checking email, will be targeted. If you do run any servers, killing them for now would be prudent, but otherwise, just don't install any new apps you're not sure you can trust for the time being. As this is a very high profile bug, I suspect Apple will release an official patch soon.

I had the same error. If I am not too tired and I am looking at this correctly, my problem was due to the fact that I installed an SSD in my optical drive bay and setup as my main drive (original internal HDD) as a secondary drive. After installation, I moved all of my non-essential OS folders to the secondary drive and updated the links in the OS to point to the SSD when appropriate and the HDD when appropriate.

The build would not compile correctly because the folders were being made in my user folder on the secondary drive while the "cd .." was going to the root for the SSD drive — at least this is far as I can surmise. Here is what I changed to get it to work:

cd /Users/Shared
mkdir bash-fix
cd /Users/Shared/bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd /Users/Shared/bash-fix/bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
cd ..
xcodebuild

That worked with no errors for my personal Mac at home after not working the first three times. My Mac at the office, which has the original build as far as drives, worked with the suggested commands in the article. Hope that helps.

Hi Dylan,

I was able to find an older mac and replicate your issue. The problem is you're missing some dependencies. I've updated the article with a new section called "Prerequisite Check". Just delete your bash-fix folder and follow the steps in the article to download the missing command line tools. Once done, start from step 1 again and all should work (at least it did for me on my system).

Have you updated Xcode lately and not opened the application to accept the license agreement? That's what happened to me. Just had to open Xcode, accept the license, let it load, then close and retry the xcodebuild command.

So is there a way to see if it actually fixed it? I built and verified the new version. However, when I copy paste the code at the top, it still outputs, "this is a test"

Try this:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Well that is really strange. Prior to reading this, it was still outputting "this is a test"

http://imgur.com/rlQPnSq

The last 2 entries were right after I read this.

I'm a bash newbie. Anyone mind explaining the elements of this test script and how its able to test for the vulnerability? Thanks!

Just found a blog on the AskUbuntu site that explained it. It's so simple, it went over my head when first looking at it. Scary!

"It simply sets the environment variable called x to the value () { :;}; echo vulnerable. It then invokes bash asking it to echo back the word hello. The value of x that is set is a function definition that should do nothing. However, it is crafted to try to run 'echo vulnerable' at parsing of environment at bash start-up, which just prints vulnerable to standard out."

see below

When it says "this is a test" without saying "vulnerable" first, that means you're good! At least for this exploit. There is buzz around another related exploit that has not yet been patched. We'll be updating this article once the new patch is released.

Ahh, okay. I was thinking that it needed to show the warning and error in order for it to be working. Thank you for the clarification.

Just as an FYI - If you mistype the env command (like, say you forget the space between the right paren and the left curly) it will just do the echo this is a test part because the syntax to set the environment variable is incorrect. So if it just prints "this is a test" it means you typed it wrong. The ONLY indicator of the patch working is the full error message as noted elsewhere in this thread.

Interesting stuff, but a little confusing for this almost illiterate Mac user.
(OSX 10.6.8; cannot upgrade due to hardware limits).
When I go and try to download Xcode, I seem to be able to find only something that is compatible with 10.9.4 or later.
How do I get around that?

PS we old version users seem to be left out in the cold quite a lot, I find.
Help appreciated!

If you still have the Snow Leopard installed DVDs, I believe Xcode can be installed from the "Optional Installs" folder on the disc, and then you can use Software Update to make sure you have the latest version for your system. Otherwise, you might need access to the Apple Developer site, if they even have older versions there.

Thanks Justin. That's sound advice: the disk does contain Xcode.

One more issue: you all seem to talk about much newer versions of Bash. Mine is GNU bash, version 3.2.48(1)-release (x86 64-apple-darwin10.0)

Can I upgrade 48 to 52, or is that too big a step, or are there perhaps other hardware issues involved? As you see: nitwit here. Sorry.

I don't have a system like yours to test on, but it should work... There's no harm in giving it a try. Worst case scenario, you'll have a few extra files in a folder that you can just delete (this won't break anything). Just make sure to stop if you do get an error and report back.

I've just updated my 10.6.8 with bash version 3.2.48(1) to 52 and all is working fine. Thanks for the patch info btw!

the first download from opensource.apple wouldn't work, so i did the download via http, then did a mv to the bash-fix directory. when i run the second curl command from gnu.org the process stops and asks for "File to patch:"

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3250 100 3250 0 0 3636 0 --:--:-- --:--:-- --:--:-- 3639
can't find file to patch at input line 20
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
| BASH PATCH REPORT
| =================
|
|Bash-Release: 3.2
|Patch-ID: bash32-052
|
|Bug-Reported-by: Stephane Chazelas <stephane.chazelas@gmail.com>
|Bug-Reference-ID:
|Bug-Reference-URL:
|
|Bug-Description:
|
|Under certain circumstances, bash will execute user code while processing the
|environment for exported function definitions.
|
|Patch (apply with `patch -p0'):
|
|* ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500
|--- builtins/common.h 2014-09-16 19:08:02.000000000 -0400
--------------------------
File to patch:

I've already done the cp of my existing bash directories.

running 10.9.5

thanks in advance

If you downloaded the tarball directly, make sure to untar it first. In Terminal, make sure you're in the same directory as the .tar.gz file and type:

  • tar -zxf bash-92.tar.gz

That will untar it. Then cd into the untarred directory with:

  • cd bash-92/bash-3.2

...and follow the rest of the instructions from there (starting with the 2nd curl command).

yep asking me for file to patch: as well

I've specifically created an account to thank you Justin for this article :)

Works great...thanks for the howto. I'm back to good.

hi,
I'm trying to do this patch now, and when I got to: xcodebuild
I got a message: Agreeing to the Xcode/iOS license requires admin privileges, please re-run as root via sudo.
I have no idea what that means. I am the admin on this Mac.
Thanks for your help!

Open Xcode from your Applications folder first. The initial open will require you to enter your password and agree to Apple's terms of service. Once you've done that, you should be able to start over.

(When I first tried
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
I got:
vulnerable
hello
After manually updating bash I got:
vulnerable
this is a test
even though it said that the build had succeeded earlier on....
So... what do I do now?)

EDIT: realised I had used "echo hello" when checking the first time, my bad.

Either the exploited environment variable string is still set, or something was missed and your old version of bash wasn't replaced with the newly compiled version. Try the following:

  1. Fully Quit Terminal (Press Command+Q)
  2. Re-open Terminal and type bash --version

What version does it say you're running? If the new version, re-run the test. What is the output?

Okay, well it seems the old version of bash wasn't replaced properly. But now everything is sorted. Great! Thank you for replying - you just earned yourself a bunch of karma points! :)

Same problem here! Completed all steps no errors. Bash version still 3.2.51(1)

Please confirm you ran the following two commands at the end to copy over your old versions of bash and sh:

  • sudo cp build/Release/bash /bin
  • sudo cp build/Release/sh /bin

If so, what version of OS X are you on? I'm wondering if the bash binaries are in a different place.

Yup that did it! Many thanks!!

Hey so I went through the whole thing and ran "sudo cp build/Release/bash /bin" and I'm still running the 3.2.51(1) version.

I am running Maverick on a late 2008 macbook pro

While trying the first curl command I got this:

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

With a lot of other text after it. Is it ok to use it without the SSL certificate? Something to fix this part of the fix?

Make sure your system clock is set to the current date and time, run apple's check for system updates and install any available, then try again.

Not interested in updating to Mavericks or Yosemite, just want to fix the Bash bug.

Will check to make sure system time isn't an issue, but any way around the SSL issue otherwise?

You can download the files manually (that's all curl does), but you'll have to do the untar and patch commands separately. Should go something like this:

  1. Download the bash-92.tar.gz file manually (using a web browser) and save it to your bash-fix folder.
  2. untar it with the following command: tar -zxf bash-92.tar.gz
  3. move into that directory: cd bash-92/bash-3.2
  4. Download the bash32-052 patch file manually and save it to the bash-3.2 folder
  5. Patch it with the following command: cat bash32-052.txt | patch -p0
  6. Follow the rest of the steps above starting with cd.. in step 1.

thanks! :)

The patch -p0 bash32-052 command seems to be taking a while with no output (the prompt is on a newline, process still seems to be running, but no output in about 5+ minutes) is this normal or am I missing some argument in the patch command?

Sorry for number of questions, these are just areas of OS X I don't usually deal with so don't know what to expet.

Should be immediate, with output for each file patched. If the prompt is on a new line, you're probably ready to go on to the next step.

on a new line, but like it's working (ie not accepting input or acting like the command didn't get all the input). I should say the curosr is on a new line, but there is no prompt so patch is still running (or waiting for some more input)

Ah. I see. I think OS X may add ".txt" to the end of the patch file when downloading manually. If you still have that terminal window open, press Ctrl+C to cancel. Then enter the following command:

  • cat bash32-052.txt | patch -p0

Then pick up from the "cd.." part of step 1...

I've updated my comment above to reflect this.

Use curl with "--insecure" flag. That should resolve your SSL issue.

For those receiving the "Build Failed" message. You may need to 'sudo' the xcodebuild command.

ran thru the alternative step listed above since I can't upgrade to the latest Maverick's release due to incompat issues with existing tools I need, but I was able to patch my 10.9.2 system - it worked.

But with my 10.8.5 system, it failed.

Wants XCode path, looking for Xcode5 DMG, no longer available on Apple public website, and don't have access to Apple Developer site. Any pointers where I can get it from?

Crunchy

Hmm. Did you already try getting it from the Mac App Store? For older versions of OS X, you should be able to install an older version of Xcode from an older Mac Recovery DVD as Justin noted above. That said, I can't remember if 10.8 even came with a recovery disc. Hopefully you have one lying around somewhere from an older version of OS X (10.7 maybe?). If not, downloading Xcode from anyone other than apple is risky business. Riskier I think than leaving it unpatched for now (assuming it's not set up as a web server of sorts). Maybe best for you to keep any servers off on that system until Apple releases an official patch.

Thanks for the well-presented how-to.

I have a number of Mac's running pretty much either 10.8.5 or 10.9.x. They consist of different hardware - Air's, Book Pro's, Pro's - all within the last year, but some significant hardware version changes (especially the NEW Pro's).

Can I build a single new bash and sh on one machine and copy it to the others?

Actually, that should work since we're compiling completely from newly downloaded source code. That said, I'd be sure to make a backup of each original bash & sh file before overwriting them (ex: following Step 2 for each machine).

Thanks for the great How-To!

I am having a problem running the 2nd curl command:

davids-imac:bash-3.2 daviddrollinger$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:01:33 --:--:-- 0
curl: (35) Unknown SSL protocol error in connection to ftp.gnu.org:-9805

First, I'd just try entering the command again to see if it was just a connection fluke. If you still get the error, it sounds like you may need to check your system clock settings to make sure you're set to the current date / time, and install any system updates from Apple first... If you do that and still get this error, you can manually download the patch to the bash-3.2 folder and follow my instructions above for Jacob W who ran into a similar problem.

Hi. I followed your guide and it worked fine... :-)

I just want to contribute my 2 cents...

On step 2, you say that "You won't see any confirmation, but it'll work..."
I know how to make this commands show a confirmation. Just use these commands instead:

sudo cp -v /bin/bash{,.old}
sudo cp -v /bin/sh{,.old}

I hope this helps someone... :-)
Cheers.
Cris

It's Crunchy again...

I had never installed XCode on my 10.8.5 system, but I was able to locate an original SnowLeo..DVD, and was able to install XCode from there. Re-ran the xcodebuild... BUILD SUCCEEDED, and now I'm all good.

Ok Im very computer illiterate when it comes to code stuff like this. I have Mac 10.6.8, and I can't download the xcode from the app store. I haven't found any of my recovery discs, but I've had my laptop for a few years now and I don't even remember if I got any with it or not. I only use my laptop at home on a secure wifi network, will my computer be okay until Apple releases a patch?

I got a failed build on OS X Snow leopard. (10.6.8/10K549)
The following build commands failed:
PhaseScriptExecution ostype.h build/bash.build/Release/ostype.h.build/Script-59DC3C521120DC9C00B033EC.sh
(1 failure)

can anyone help?
also, I ran the command with sudo

Thank you for posting this really CLEAR and effective walk through. It all worked out perfectly for me. Good as golden..env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Do the work in /tmp folder. Avoid external Volumes.

I've updated the article to explain how to make sure you have the missing command line tools that are leading to you getting that error. Start over following the new steps and you should be good to go.

Hi and thanks for the article.

I have a problem though. When I ran xcodebuild for the first time it prompted for the Xcode download which I did and installed. Now when I run xcodebuild it returns:-

xcode-select: error: tool 'xcodebuild' requires Xcode, but active developer directory '/Library/Developer/CommandLineTools' is a command line tools instance

Any suggestions?

Many thanks in advance.

Same issue as above.

Is it anything to do with having the Xcode6 beta?

I've updated the article to show you how to make sure you have the latest command line tools.

This fixed it for me (if you have Xcode6 beta installed):
sudo xcode-select -switch /Applications/Xcode.app/Contents/Developer

Hi, I just copied the walk-through and the final test was as follows:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Should I do something or is it ok?

Thanks!

Great tutorial, I've applied this and am very happy :-)

Once the patch is installed, should we remove the /bin/bash.old and /bin/sh.old files?

I'd keep them around for now just in case apple's official patch ends up expecting the unpatched versions (unlikely, but better safe than sorry).

Thanks , this seemed to work for me okay with out any problems. One question , after creating the new bash on one iMac, is it okay to copy it to others of the same OS release, without going through the Xcode build each time?

Should be. Just make sure you backup bash and sh on each computer first, just in case.

Thanks Bryan, better do 3.2.53 now

Thanks for the tip! Worked like a charm.

Hey guys, I got everything perfect, until step 4. When I enter the commands (down below) nothing happens in my Terminal.

sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin

Any ideas what to do? I'm running the latest OS X

EDIT: Falce alarm, it's all good! Thanks!

Worked perfectly - thanks! All successfully updated

Thanks for the link. I'd patch if I were you. DHCP has been proven to be exploitable by this, and that's likely a part of Hamachi.

Hi there, I am on Mountain Lion, and Vulnerable.
For me there is really the need to fix it due to my work ;)

I get: GNU bash, version 3.2.48(1)-release (x8664-apple-darwin12)

Can I also do this update? thanks!

Niek, there's someone higher up the list with an older version like you (and me). It should work -> read earlier replies.

Ok Tessa, thanks! I'll give it a go :)

Thanks Justin and Bryan, top tips! i updated bash successfully and waiting for the official patch now. however i am not clear about what the 'vulnerable' test means. does it mean that, i was vulnerable to the exploit, or as the article seems to suggest, i was "indeed infected by Shellshock". my understanding of vulnerabilities is limited, but i imagined it is like an open door to a possible abuse, as opposed to 'an infection' which would be attacks have already taken place?

thanks!

This means that you are vulnerable to it, not that you have been infected. :)

thanks! (feeling better)

Hi, I'm trying to do it but it gives me this:

Check dependencies

The file "BSD.xcconfig" couldn't be opened because there is no such file. (/Applications/Xcode.app/Contents/Developer/Makefiles/CoreOS/Xcode/BSD.xcconfig)

I'm too having the same error. I'm running Mac OSX 10.9.5, Xcode Version 6.0.1 (6A317). Even downloaded and manually installed commandlinetoolsforosx10.9forxcode6.dmg

I'm getting this too on latest Yosemite with Xcode Version 6.1 (6A1052d). Any suggestions?

Running 10.8.5; bash version GNU bash, version 3.2.48(1)-release (x86 64-apple-darwin12); Xcode Version 3.2.6 (1761) installed. Every step works except the xcodebuild that results in:

xcrun: Error: failed to exec real xcrun. (No such file or directory)

Suggestions?

Excellent walkthrough, worked like a charm!

Thanks, everything worked perfectly. One question: I'm now left with a visible folder in my home directory called bash-fix. Is it safe to delete that, or if that where the now updated version of bash is living?

It's safe to delete. You've already copied over the new versions.

Worked well. Thanks!

When I ran through the Terminal steps described in your article and ran the line command to check if my system was still vulnerable, I got the following response:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Although the response following the build was BUILD SUCCESSFUL, there was a line before it asking to check something, saying it could not find the file BCD.something in the Xcode application.

The response you got means you are successfully patched, so I wouldn't worry about it..

Thank you for this and everyone in the comments that helped as well.

Thank you, Justin. That was very easy to follow and very helpful.

I got a hold of an older mac to test and figured out the problem some of you are running into.

For those of you running into ** BUILD FAILED ** errors after typing the xcodebuild command, you're likely missing some of the dependencies. Even if you don't understand what that means, it's easy to fix. Just install them by doing the following:

  1. Launch Xcode from your Applications folder
  2. Click the Xcode menu in your top menu bar
  3. Click Preferences
  4. Click the Downloads tab
  5. Click Install next to the Command Line Tools in the list of downloads.

Once installed, quit your terminal window, delete the bash-fix folder from your user home folder, and start again from the beginning. I've updated the article to reflect this.

I left my experience above, copied here,

Thanks for the post, I signed up too.

I downloaded Xcode, opened it no problem, did all the steps above and updated my bash, then reset the default But I still get 'vulnerable' this i a test. I also closed terminal rechecked the version, which is correct, and still the test says vulnerable. Any ideas?

edit: I ran the sudo commands to make sure about the default, this time I got request for password so I thought, great!

Wrong. Still vulnerable. Mavericks 10.9.5

Wondering even though it shows the newest version and it stills says vulnerable if I can simply go back through the whole process exactly the same way or if I should do some stop gap measure. Have yet to try on my snow leopard Imac

Chances are something didn't copy over correctly. Go through the process exactly the same way (copy/pasting the commands to be sure nothing's missed), except when creating the backup, name the backups ".old2" instead of ".old", so as not to accidentally overwrite your original backups.

Amanda Henson's solution to the 'build failed' problem worked for me (see above, 7th post).

Wonderful! SUCCESS! thanks Also installed xcode from disk on Snow Leopard Imac and everything went smoothly. Excellent detailed instructions and advice.

Hi. Did everything as stated above, worked great, until the very end. This is what I get when I run the test the final time:

XXXs MacBook-Air:bash-92 XXX$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

If it doesn't state 'vulnerable', I should be good, but still bothered by the 'error' statement.

Yup! The error statement is what you want to see. It means that an attempt to exploit your system threw an error instead of executing the exploit.

What directory should the commands in Step 1, Step 2, etc. be run from? Does it matter? Should it be from simply the default /Users/<username> directory you are in when you open a terminal?

Yes, the instructions assume the default /Users/<username> directory. That said, all change directory & move commands are relative, so as long as you don't stray from the instructions, you'll be fine.

I also got this in the terminal:

Check dependencies

The file "BSD.xcconfig" couldn't be opened because there is no such file. (/Applications/Xcode.app/Contents/Developer/Makefiles/CoreOS/Xcode/BSD.xcconfig)

That error will not effect the fix included here, but I found I could remove it (the error!) if I added the following BSD.xcconfig file in the path specified:-

RCHS = $(ARCHS_STANDARD_32_64_BIT);
CODE_SIGN_IDENTITY = -;
CURRENT_PROJECT_VERSION = $(RC_ProjectSourceVersion);
DEAD_CODE_STRIPPING = YES;
DEBUG_INFORMATION_FORMAT = dwarf-with-dsym;
PREBINDING = NO;
// Current Mac OS
SDKROOT = ;
//USE_HEADERMAP = NO;
VERSION_INFO_PREFIX = _;
VERSIONING_SYSTEM = apple-generic;

In Terminal you will first need to create the Xcode folder:-
ie.
$ sudo mkdir /Applications/Xcode.app/Contents/Developer/Makefiles/CoreOS/Xcode/

Then create BSD.xcconfig as above with vi or nano or whatever,
then finally change its permissions
$ sudo chmod 644 /Applications/Xcode.app/Contents/Developer/Makefiles/CoreOS/Xcode/BSD.xcconfig

!!! Important note to all who have installed patch 3.2.52 !!!

There is a new patch out (3.2.53) that addresses an additional attack vector left open in 3.2.52. An additional step has been added to the instructions in this article to fix it. If you already ran this patch, all you have to do is delete your bash-fix folder from your user directory and follow the instructions from step 1. Many of them are the same, but the order you do them in is very important, so it's best to just copy / paste each command one at a time.

Hi,

When I enter in the commands to build the new patch, I get this message:

Error: No developer directory found at /Developer. Run /usr/bin/xcode-select to update the developer directory path.

What does it mean and how do I get around it?

Thanks.

Sounds like you may not have Xcode or the Command Line Tools installed. Check out the Prerequisites section in the article above.

Nope, I've done both of those steps. Anything else it could be?

Could just be remnants from updating Xcode to the newer version (now stored in your Applications directory instead of /Developer). Try typing this command, then try again:

  • sudo xcode-select -switch /Applications/Xcode.app/Contents/Developer

Perfect, that did it. Now all fixed. Thank you so much!

Could this fix cause problems with Apple's own official fix, if/when that's released (maybe as a Security Update)?

Very unlikely, but if you'd like to be certain, this patch can be totally reversed by simply entering the following two commands in Terminal to restore the backup you made in step 3 above, before installing Apple's patch (once it's finally made available):

  • sudo cp /bin/bash.old /bin/bash
  • sudo cp /bin/sh.old /bin/sh

Thanks! I just did that, and ran the Apple update ( http://support.apple.com/kb/DL1769 ). I still have /users/me/bash-fix/ on my drive though. Should i just delete that with normal Finder Trash?

Thanks, followed step by step and it worked like a charm. Appreciate your help :)

didn't work for me as a normal user even using sudo then switched to root and Worked 100%

Well, this is odd.

On my system (10.8.5), after installing the first-level patch:

% bash --version
GNU bash, version 3.2.52(1)-release (x8664-apple-darwin12)
Copyright (C) 2007 Free Software Foundation, Inc.

% env X='(){(a)=>\' bash -c "echo date"; cat echo; rm -f echo
date
cat: echo: No such file or directory

So even though I haven't yet installed the second-level patch, my 3.2.52 install of bash doesn't appear to be vulnerable per the second test (which I copy-pasted straight out of the article).

How can that be?

Kudos! Worked like a charm for me. one of the benefits of open source.

have you gotten a reply? I'm looking to patch a leopard server

Your procedure worked perfectly in Lion and Mavericks, thx!

@Justin, worked like a charm, you guys are awesome!!!

Great guide, easy to follow and it only took me about 3 minutes (minus the install of xcode)

Great tutorial, but the original bash/sh file were universal binaries ie.
$ file /bin/bash
$ /bin/bash: Mach-O universal binary with 2 architectures: x86_64: Mach-O 64-bit x86_64 executable i386

Is it possible to have the config changed to create this, rather than just create x86_64 binaries? I do not have the expertise to do this myself..._

John Hall

Eh,
I think I can answer my own question here!
To build a universal binary, as per the original bash and sh:-
In Step 1 and Step 2 replace xcodebuild with:-
xcodebuild -arch x86_64 -arch i386

This will produce files which will run in 32 and 64 bit modes as appropriate for the machine boot mode...

thanks for the great tutorial, any ideas on patching a leopard server (10.5.8)?

I'm working on Leopard 10.5.8, installed Xcode in order to manually update the bash, but ran into the problem that apparently for the version of Xcode compatible with 10.5.8 (I have 3.0 now, and apparently it goes up to 3.1.4) there is no "downloads" tab and apparently no way to download the "Command Line Tools".

I thought that maybe they were packed up inside of Xcode by default so I was like "hey lets try it anyway".

First off the bash build doesn't download, returns with an error for some reason. Something about SSL encryption not recognizing a certificate. Said "off with that" and just downloaded and put the bash-92 folder into bash-fix.

Works. Yay. Then this happened :

Well of course.

Tried pushing on anyway :

Can't say I'm surprised.

Is there a workaround ? I'm not a programmer and I can't type a line of code in a million years so if I'm doing something wrong I likely don't even know what, but the fact that it did not find the "seq" command leads me to believe that Xcode 3.0 doesn't have the command line tools bundled somehow ? Is there a way to get them externally ?

Thanks in advance.

Cheers!
Alex.

I haven't been able to try this myself, but a little searching turned up this little terminal command to get it to download the xcode command line tools. Let me know if it doesn't work.

  • xcode-select --install

thanks Bryan, will try again in am

Alex, see my response to Norman below. It explains how to get around the lack of a `seq` command in older versions of OS X.

I'm on an older machine running OS 10.6.8 with Xcode v 3.0. The procedure fails for me at line 3 of step 1 with the following error:

bash-fix norman$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf

tar: Option f requires an argument
Usage:
List: tar -tf <archive-filename>
Extract: tar -xf <archive-filename>
Create: tar -cf <archive-filename> filenames...
Help: tar --help
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 4088k 0 16384 0 0 43020 0 0:01:37 --:--:-- 0:01:37 134k
curl: (23) Failed writing body (0 != 16384)

I don't know what any of this means.
I can put that url in Safari which downloads 2 files:
bash-92.tar
M202.0M2.1.6.04ZAV.D7210.rar
I have dragged them into the bash-fix folder. Now what do I do?

A second possible problem: My version of Xcode does not have a Downloads preference.

Update: Well I read further down in the instructions and manually ran tar. The file in my directory did not have the .gz extension, so I just omitted it thus:

tar -zxf bash-92.tar
That worked and resulted in the creation of the bash-92/bash-3.2 directory. However when I did:
cd bash-92/bash-3.2

for i in $(seq -f "%03g" 52 54);do curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-$i | patch -p0; done

I got: -bash: seq: command not found

So I guess I'm missing the command line tool, "seq"
This appears to be the same problem Alex is having.

You're missing the " -" (space, minus sign) that should be at the end of that command. Safest to copy/paste each bullet point for each individual command (including any text that wrapped to the next line) so as not to miss little details like this.

The purpose of the `seq …` command in this case is to easily loop through all the patch file names (052 053 054) in a single curl command. I don't know when this command became available for OS X, but it certainly isn't on my fully patched Leopard system.

Just issue the following command instead of the original `for … ; done` command:

curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0

Then repeat that command with 053 instead of 052, and 054 instead of 053. You must do them in the proper order!

If there become further patches for bash 3.2 I'd presume they would be numbered 055, etc.

This is exactly right

Ok so here I'm getting another error, actually the same SSL certificate error I was getting earlier :

Tried adding "-k" at the end of the pasted line of code, did not work, returned the same text as above.

Also, Bryan, I tried "xcode-select --install", and it returned this :

Thanks a lot for the fast answers!

Alex.

Alex, to override the SSL issue you're getting with the `curl` command you need to include the "-k" just after the word "curl", not at the end of the command line. So like this:

curl -k https://…

Personally, I did not have any SSL certificate issue getting the patches themselves — just when pulling the base bash kit from Apple's servers. Obviously you are getting an error, so something must be different on your system (older certificate authority info in your keychain, older version of OS X, not the same OS X security patches, etc.). I wouldn't worry about it as long as you can obtain the patches successfully using the "-k" option and you use these "trusted" source code/patch domains.

With regard to your `xcode-select —install` issue, it would be mildly interesting to know what this command shows:

xcode-select -print-path

For me, it shows "/Developer".

Based on the output you showed in your second screenshot, it appears that the version of xcode-select you have on your system didn't understand what "—install" means as an option. Can you tell us which version of OS X you are trying this on, and what the version of Xcode is (launch the Xcode application, then choose the "About Xcode" option from the Xcode menu)?

Hi,

Ok, just checked, so first off, my version of OSX is Leopard 10.5.8 (9L31a) with the Darwin 9.8.0 kernel (according to the System Profiler). My version of Xcode is 3.0.

The -k thing before curl did work, I was able to download all the files directly from the Terminal. The -seq workaround worked as well, and I was able to download the patches directly from the Terminal too.

However the build still failed. I tried a second time by redownloading all the files, starting fresh and following all the steps again, using curl -k to download patches 052 to 054, same thing, *build failed*.

If you want I can paste the whole text that appears after the "xcodebuild" line if that helps.

Is it a problem with the Xcode version that's too old ? I've checked on wikipedia and the highest version of Xcode that will work on Leopard 10.5.8 is Xcode version 3.1.4. I have an Apple developer account so I can download it if necessary but my question is : should I upload and will it change anything ?

Thanks!
Alex.

Edit : oh yes "xcode-select -print-path" shows up "/Developer" as well. I didn't change the default install setup and it offered to put Xcode and its files there so I did not bother to change it.

I'm glad my curl suggestion got you further along.

Unless your xcodebuild sequence fails very early on, I'm afraid that your entire log of that step could be quite large (and thus hard to go through). Perhaps you can determine from looking at the output before the build failed is reported you can see just above that a starting point of the output where things were going well, then turned bad—from that point to the end might be useful.

As to Xcode 3.0, I cannot say if that is too old or not. My Leopard system has 3.1.1 and everything worked. Since you have ready access to the developer portal I'd say it cannot hurt to download the latest you can find there (that works on Leopard of course) and give it a shot. What's a little download bandwidth and time among friends? ;)

I suppose it's possible that your /Developer path is corrupt or incomplete in some way and and upgrading Xcode might not catch that. If that's true you may need to (backup and then) remove the current /Developer contents so that a fresh Xcode download and installation will put everything right.

Well, I've made progress:
bash-3.2 norman$ man seq
No manual entry for seq
This confirms that the "seq" command is not on my system. So I did as Marty suggested:

Elenas-Computer:bash-3.2 norman$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
101 3250 101 3250 0 0 4605 0 --:--:-- --:--:-- --:--:-- 50000
patching file builtins/common.h
patching file builtins/evalstring.c
patching file variables.c
patching file patchlevel.h
Elenas-Computer:bash-3.2 norman$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
101 1115 101 1115 0 0 3895 0 --:--:-- --:--:-- --:--:-- 19224
patching file parse.y
patching file patchlevel.h
Elenas-Computer:bash-3.2 norman$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6617 100 6617 0 0 18073 0 --:--:-- --:--:-- --:--:-- 53362
patching file variables.c
patching file patchlevel.h

Then I tried to go on..
Elenas-Computer:bash-3.2 norman$ cd ..
Elenas-Computer:bash-92 norman$ xcodebuild
-bash: xcodebuild: command not found
So I don't have the command-line commands for my version of Xcode, and I don't know how to get them. Any suggestions?

Norman,

Your version of Xcode is very out-of-date for Snow Leopard. Even my old Leopard system has version 3.1.1. Looking at Apple's developer portal, the latest Xcode for SL is 3.2.6. Since you have Xcode already installed, I'd be surprised if using the Software Update menu choice from your Apple menu wouldn't find and install that upgrade for you. Then you can try picking up in the bash fix instructions where you left things.

You can signup as an Apple developer without paying anything (their paid account provides additional developer access and tools) and download "Xcode 3.2.6 and iOS SDK 4.3 for Snow Leopard" from there so that route is available to you as well.

Because of licensing, if you cannot upgrade Xcode via Software Update or download it from the Apple developer portal it wouldn't be legal for anyone else to provide Xcode to you. Hopefully Software Update will be your friend!

Since Xcode tends to require you to agree to its Terms & Conditions with every release, no matter how you get an updated Xcode be sure and launch the application before trying to use its command-line tools.

I'm afraid I have dug myself a deeper hole. Today I thought of the 3 other machines in my house, all running Mavericks on all of which I have applied the Apple patch. So I backed up bash and sh on this old machine, as described above, then copied the versions of them on one of my Mavericks machines to to .bin/ on this old machine. Unfortunately that broke everything. Launching Terminal yields:

Last login: Wed Oct 1 13:51:47 on ttys000

Process completed

so the terminal session shuts down completely. I tried to ssh to this machine from another on my LAN but that failed as well. I'm about try to use Finder to restore from backup. This is hard because my backup is a disk image, and this machine can no longer mount disk images. Disk Utility spins the pinwheel of death. I guess they all rely on bash.

...

Well, I can use the finder to open up /bin/ and I can move bash to the trash, but I don't have permissions to rename bash.old to bash. Is there some way that I can get access to another shell on boot up? Both bash and sh are probably broken.

SUCCESS! I downloaded and installed "Xcode 3.2.6 and iOS SDK 4.3 for Snow Leopard" as per Marty's suggestion (thanks). There was a defaulted-on option to install the command-line tools, and I verified that they were there after the install (there was still no "Download" tab under Preferences in this version of Xcode).

I then completed Bryan's procedure, and Voila!, it all worked and tested properly. Thanks all.

OK, I dug myself out of that. I used Terminal/Preferences to Shells Open With /bin/bash.old, and that gave me Terminal back. Software Update did not want to update Xcode, so its off to the Developer site...

I don't know which CVE(s) it may address, but there is now a patch 056 available dated October 2 at 22:15 (timezone unknown).

If your bash-fix folder is untouched from all previous patching through patch 055, you can apply this new patch by using the following command (be certain that you are in the same bash-3.2 folder as before!!!):

curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-056 | patch -p0

Then carry on with the remainder of the original manual steps starting with the `cd ..` command.

I wouldn't be surprised if additional patches come out for this issue, so stay tuned. :)

BTW, I really like this script for testing against these bash issues. It seems to be maintained quickly and the results are in color to quickly give you a sense of your installed version of bash against the identified problems.

I have a problem. I'm running os X Tiger which only allows me to install xcode 2.5. Everything runs fine until I compile the code. I get:

/Users/polarisdirect/bash-fix/bash-92/bash-3.2/lib/intl/dcigettext.c:302:36: warning: character constant too long for its type

/Users/polarisdirect/bash-fix/bash-92/bash-3.2/lib/intl/dcigettext.c:302: error: invalid initializer

Does anyone have an idea? There is no download command line tools under preferences and the code stated above to install them didn't work.

Thanks for the help. Great job Justin and Bryan. Worked perfectly!

Thanks for posting this awesome instruction set. I can't resolve it completely however, it fails the first test. Any guidance greatly appreciated!

I see the following after entering the "xcodebuild" command in Terminal:

=== BUILD AGGREGATE TARGET all OF PROJECT bash WITH THE DEFAULT CONFIGURATION (Release) ===

Check dependencies

The file "BSD.xcconfig" couldn't be opened because there is no such file. (/Applications/Xcode.app/Contents/Developer/Makefiles/CoreOS/Xcode/BSD.xcconfig)

* BUILD SUCCEEDED *

I don't know if this is related after reading that this doesn't matter in comments above. However it doesn't pass the 1st test after completing all commands in Terminal, but does pass the 2nd test. I see:

...2:bash-92 ...$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

I repeated the full instructions 3x on Yosemite's latest version, same result each time. Suggestions? Thanks!

Share Your Thoughts

  • Hot
  • Latest