OSX:bashの更新
15131 ワード
本稿では,現在のbashパッチの進展をできるだけ詳細に述べ,以下の4つの側面から説明する.最新のアップデートインストールパッケージ、:Oct 5までの 既知のbash脆弱性をテストするスクリプト:更新後に既知のbash脆弱性を検出するために使用できる場合 スクリプトコンパイル更新バージョン:3.2.56バージョンに更新することもできます.ローカルコンパイル が必要です.手動更新:この部分を見て、現在の状態を詳しく知ることができます.将来の更新に遭遇しても、手動で自分で更新することができます.
1.最新の更新インストールパッケージ:
最近、ユタ大学(University of Utah)のRichard Glaserは、OS Xの10.5から10.10に適した統合bash更新パッケージを発表した.bashを現在の3.2.56バージョンに更新し、Appleの公式3.2.53(1)よりも信頼し、56バージョンが本当に修復されたかどうかを示す情報がないため、既知の危険な脆弱性(後述し、スクリプトテストがある)を修復した.csdnでダウンロードできます.ここです.
以下は公開された原文です.
2.既知のbash脆弱性をテストする:
もう一人の技術者は、現在知られているbashの脆弱性をチェックするスクリプトを作成し、元のスクリプトはここから入手できます.読みやすいように最後に添付します.次のスクリプトを使用して、上記のバージョン3.2.56のパッチをテストした結果を示します.
Apple公式の3.2.53(1)の検出結果と比較:
3.更新バージョンの自己コンパイル
また、TJ Loomaはopensourceからスクリプトをリリースしました.apple.comサイトから最新bashソースプログラムをダウンロードしgnu.orgに各更新パッチをダウンロードし、xcodeを使用して再コンパイルします.現在も3.2.56バージョンです.
4.手動更新
これはどのように手動で説明するのか、詳しくはAlBlueの説明を参照してください.
--------------------------------------------------
bash-checkスクリプト
bash-fixスクリプト
1.最新の更新インストールパッケージ:
最近、ユタ大学(University of Utah)のRichard Glaserは、OS Xの10.5から10.10に適した統合bash更新パッケージを発表した.bashを現在の3.2.56バージョンに更新し、Appleの公式3.2.53(1)よりも信頼し、56バージョンが本当に修復されたかどうかを示す情報がないため、既知の危険な脆弱性(後述し、スクリプトテストがある)を修復した.csdnでダウンロードできます.ここです.
以下は公開された原文です.
Here is a OS X installer for the latest official GNU bash release version, 3.2.56 and will be updated to new releases when available.
The bash is universal runs on 32/64-bit, PowerPC, Intel architectures and supports and has been tested on OS X 10.5 thur OS X 10.10
http://www.mac-mgrs.utah.edu/ downloads/osx_gnu_bash_ installer.zip
Our institution is very decentralized and primarily there was a need to apply latest GNU bash patch to non=Apple supported OS’s like OS 10.6/10.5, but for those security conscious or paranoid could use it on supported OS X versions.
Here is the SHA1 256 checksums
• OS X 10.5-10.10 - bash version 3.2.56
bed4178f4bdf05ad2d5c396fb3ed97 331e62e35836fae1410e20f0e05a77 c13e
• OS X 10.5-10.10 - sh version 3.2.56
f51a83aaad5d15b34753998cb81061 eb63ffe1a28f8876db0a0ea2f04f28 e3b1
The installer backups current bash install incase you need to revert back to previous version. See installer read me for details.
Hope this is useful to the community.
Let me know if you have any suggestions, comments or problems.2.既知のbash脆弱性をテストする:
もう一人の技術者は、現在知られているbashの脆弱性をチェックするスクリプトを作成し、元のスクリプトはここから入手できます.読みやすいように最後に添付します.次のスクリプトを使用して、上記のバージョン3.2.56のパッチをテストした結果を示します.
<span style="font-family: Arial, Helvetica, sans-serif;">
$ bashcheck.sh
Testing /bin/bash ...
GNU bash, version 3.2.56(1)-release (x86_64-apple-darwin9)
Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)</span>Apple公式の3.2.53(1)の検出結果と比較:
$ ./bashbash.sh
Testing /bin/bash ...
GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin14)
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Vulnerable to CVE-2014-6277 (lcamtuf bug #1) [no patch]
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)
Variable function parser inactive, likely safe from unknown parser bugs3.更新バージョンの自己コンパイル
また、TJ Loomaはopensourceからスクリプトをリリースしました.apple.comサイトから最新bashソースプログラムをダウンロードしgnu.orgに各更新パッチをダウンロードし、xcodeを使用して再コンパイルします.現在も3.2.56バージョンです.
4.手動更新
これはどのように手動で説明するのか、詳しくはAlBlueの説明を参照してください.
--------------------------------------------------
bash-checkスクリプト
#!/bin/bash
warn() {
if [ "$scary" == "1" ]; then
echo -e "\033[91mVulnerable to $1\033[39m"
else
echo -e "\033[93mFound non-exploitable $1\033[39m"
fi
}
good() {
echo -e "\033[92mNot vulnerable to $1\033[39m"
}
[ -n "$1" ] && bash=$(which $1) || bash=$(which bash)
echo -e "\033[95mTesting $bash ..."
echo $($bash --version | head -n 1)
echo -e "\033[39m"
#r=`a="() { echo x;}" $bash -c a 2>/dev/null`
if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m"
scary=1
elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m"
scary=0
elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m"
scary=0
elif [ -n "$(env 'BASH_FUNC_<a>%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
echo -e "\033[92mVariable function parser pre/suffixed [<..>%%, apple], bugs not exploitable\033[39m"
scary=0
else
echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m"
scary=0
fi
r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null`
if [ -n "$r" ]; then
warn "CVE-2014-6271 (original shellshock)"
else
good "CVE-2014-6271 (original shellshock)"
fi
cd /tmp;rm echo 2>/dev/null
env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null
if [ -e echo ]; then
warn "CVE-2014-7169 (taviso bug)"
else
good "CVE-2014-7169 (taviso bug)"
fi
$($bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>/tmp/bashcheck.tmp)
ret=$?
grep -q AddressSanitizer /tmp/bashcheck.tmp
if [ $? == 0 ] || [ $ret == 139 ]; then
warn "CVE-2014-7186 (redir_stack bug)"
else
good "CVE-2014-7186 (redir_stack bug)"
fi
$bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
if [ $? != 0 ]; then
warn "CVE-2014-7187 (nested loops off by one)"
else
echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m"
fi
$($bash -c "f(){ x(){ _;};x(){ _;}<<a;}" 2>/dev/null)
if [ $? != 0 ]; then
warn "CVE-2014-6277 (lcamtuf bug #1)"
else
good "CVE-2014-6277 (lcamtuf bug #1)"
fi
if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
warn "CVE-2014-6278 (lcamtuf bug #2)"
else
good "CVE-2014-6278 (lcamtuf bug #2)"
fi
bash-fixスクリプト
#!/bin/zsh -f
# recompile bash -
# http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851
#
# From: Timothy J. Luoma
# Mail: luomat at gmail dot com
# Date: 2014-09-25, Updated 2014-09-29
NAME="bash-fix.sh"
# This should match Xcode in many variations, betas, etc.
XCODE=`find /Applications -maxdepth 1 -type d -iname xcode\*.app -print`
if [[ "$XCODE" == "" ]]
then
echo "$NAME [FATAL]: Xcode is required, but not installed. Please install Xcode from the Mac App Store."
open 'macappstore://itunes.apple.com/us/app/xcode/id497799835?mt=12'
exit 1
fi
zmodload zsh/datetime
function timestamp { strftime "%Y-%m-%d--%H.%M.%S" "$EPOCHSECONDS" }
function log { echo "$NAME [`timestamp`]: $@" | tee -a "$LOG" }
function die
{
echo "
$NAME [FATAL]: $@"
exit 1
}
function msg
{
echo "
$NAME [INFO]: $@"
}
TIME=$(strftime "%Y-%m-%d-at-%H.%M.%S" "$EPOCHSECONDS")
LOG="$HOME/Library/Logs/$NAME.$TIME.txt"
[[ -d "$LOG:h" ]] || mkdir -p "$LOG:h"
[[ -e "$LOG" ]] || touch "$LOG"
cd "$HOME/Desktop" || cd
mkdir -p bash-fix
cd bash-fix
ORIG_DIR="$PWD"
##################################################################################################
msg "Downloading and uncompressing Apple's 'bash' source code..."
curl --progress-bar -fL https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
EXIT="$?"
if [ "$EXIT" = "0" ]
then
msg "Successfully downloaded bash source from Apple.com"
else
die "curl or tar failed (\$EXIT = $EXIT)"
fi
cd bash-92/bash-3.2
msg "CWD is now $PWD"
##################################################################################################
msg "Downloading and applying bash32-052 from gnu.org..."
curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
EXIT="$?"
if [ "$EXIT" = "0" ]
then
msg "patch bash32-052 successfully applied"
else
die "patch bash32-052 FAILED"
fi
##################################################################################################
msg "Downloading and applying bash32-053 from gnu.org..."
curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
EXIT="$?"
if [ "$EXIT" = "0" ]
then
msg "patch bash32-053 successfully applied"
else
die "patch bash32-053 FAILED"
fi
##################################################################################################
msg "Downloading and applying bash32-054 from gnu.org..."
curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0
EXIT="$?"
if [ "$EXIT" = "0" ]
then
msg "patch bash32-054 successfully applied"
else
die "patch bash32-054 FAILED"
fi
##################################################################################################
msg "Downloading and applying bash32-055 from gnu.org..."
curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-055 | patch -p0
EXIT="$?"
if [ "$EXIT" = "0" ]
then
msg "patch bash32-055 successfully applied"
else
die "patch bash32-055 FAILED"
fi
##################################################################################################
msg "Downloading and applying bash32-056 from gnu.org..."
curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-056 | patch -p0
EXIT="$?"
if [ "$EXIT" = "0" ]
then
msg "patch bash32-056 successfully applied"
else
die "patch bash32-056 FAILED"
fi
##################################################################################################
cd ..
msg "CWD is now $PWD"
echo -n "$NAME is about to run xcodebuild and its output redirected to $ORIG_DIR/xcodebuild.log. If it does not succeed, check the log for error messages.
This could take a few minutes. Please wait... "
xcodebuild 2>&1 >>| "$ORIG_DIR/xcodebuild.log"
EXIT="$?"
if [ "$EXIT" = "0" ]
then
msg "xcodebuild exited successfully."
else
die "xcodebuild failed (\$EXIT = $EXIT). See $ORIG_DIR/xcodebuild.log for details."
exit 1
fi
# Play a sound to tell them the build finished
[[ -e /System/Library/Sounds/Glass.aiff ]] && afplay /System/Library/Sounds/Glass.aiff
if [ -e 'build/Release/bash' ]
then
msg "Here is the _NEW_ version number for bash (must be 3.2.52(1) or later):"
build/Release/bash --version # GNU bash, version 3.2.54(1)-release (x86_64-apple-darwin13)
else
die "build/Release/bash does not exist. See $PWD/xcodebuild.log for details."
fi
if [ -e 'build/Release/sh' ]
then
msg "Here is the _NEW_ version number for sh (must be 3.2.52(1) or later):"
build/Release/sh --version # GNU bash, version 3.2.54(1)-release (x86_64-apple-darwin13)
else
die "build/Release/sh does not exist. See $PWD/xcodebuild.log for details."
fi
####################################################################################
#
# 2014-09-29: disabled test section because it only tests first vulnerability.
# 2014-09-29: TODO: Add tests for each vulnerability to verify it was fixed
#
# $NAME: About to run test of new bash:
#
# You should see 'hello' but you should NOT see the word 'vulnerable':
#
# Press Return/Enter to run test: "
#
# read PROMPT_TO_CONTINUE
#
# env x='() { :;}; echo vulnerable' build/Release/bash -c 'echo hello' 2>/dev/null
echo "
"
read "?$NAME: Ready to install newly compiled 'bash' and 'sh'? [Y/n]: " ANSWER
case "$ANSWER" in
N*|n*)
echo "$NAME: OK, not installing"
exit 0
;;
esac
cat <<EOINPUT
$NAME: About to replace the vulnerable versions of /bin/bash and /bin/sh with the new, patched versions.
The.$TIME ones will be backed up to /bin/bash.$TIME and /bin/sh.$TIME respectively
Please enter your administrator password (if prompted):
EOINPUT
# This will prompt user for admin password
sudo -v
##################################################################################################
msg "Moving /bin/bash to /bin/bash.$TIME: "
sudo /bin/mv -vf /bin/bash "/bin/bash.$TIME" || die "Failed to move /bin/bash to /bin/bash.$TIME"
msg "Installing build/Release/bash to /bin/bash: "
sudo cp -v build/Release/bash /bin/bash
if [ "$?" != "0" ]
then
sudo mv -vf "/bin/bash.$TIME" /bin/bash
die "Failed to move build/Release/bash to /bin/bash. Restored /bin/bash.$TIME to /bin/bash"
fi
##################################################################################################
msg "Moving /bin/sh to /bin/sh.$TIME: "
sudo /bin/mv -vf /bin/sh "/bin/sh.$TIME" || die "Failed to move /bin/sh to /bin/sh.$TIME"
msg "Installing build/Release/sh to /bin/sh: "
sudo cp -v build/Release/sh /bin/sh
if [ "$?" != "0" ]
then
sudo mv -vf "/bin/sh.$TIME" /bin/sh
die "Failed to move build/Release/sh to /bin/sh. Restored /bin/sh.$TIME to /bin/sh"
fi
##################################################################################################
msg "Removing executable bit from /bin/bash.$TIME"
sudo /bin/chmod a-x "/bin/bash.$TIME" \
|| msg "WARNING: Failed to remove executable bit from /bin/bash.$TIME"
msg "Removing executable bit from /bin/sh.$TIME"
sudo /bin/chmod a-x "/bin/sh.$TIME" \
|| msg "WARNING: Failed to remove executable bit from /bin/sh.$TIME"
msg "$NAME has finished successfully."
read "?Do you want to move $ORIG_DIR to ~/.Trash/? [Y/n] " ANSWER
case "$ANSWER" in
N*|n*)
echo "$NAME: Not moving $ORIG_DIR."
exit 0
;;
*)
mv -vn "$ORIG_DIR" "$HOME/.Trash/$ORIG_DIR.$EPOCHSECONDS"
exit 0
;;
esac
exit
#
#EOF