On 09/25/14 15:29, Edward Ned Harvey (lopser) wrote:
From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org]
On Behalf Of Yves Dorfsman
What do you guys do for your OS X non-techincal users?
Give them instructions on how to update bash manually?
Give them instructions on how to close port 22 and 80 when using public wifi?
Anybody has any idea when Apple might release a proper patch?
My opinion: The only way to exploit the bug is to *first* run some malicious
code that would tweak your environment such that the bug is then being
exploited. In other words, this bug doesn't expose users to risk of simply
browsing a malicious website accidentally and compromising your system; this
bug is a trojan backdoor that needs to first execute some malicious code on
your system in order to expose the backdoor.
Yes it's a bug to be taken seriously, no I don't recommend building your own
patched bash. For three reasons:
#1 Suppose you patch bash, and then apple releases an update. What will be
the behavior of their updater when it sees your nonstandard binary? I have
seen times when the updater would clobber a nonstandard file, and I've seen
times when the updater refuses to operate because there's a nonstandard file
sitting there. I simply cannot say how apple's updater would behave in this
specific scenario.
#2 Even if you patch it, I don't think they've released fully patched source
code yet for bash. They have instructions to build an updated bash, but it's
still subject to another variant of the same bug. I am reasonably certain that
as soon as *fully* patched bash source code is available, apple will build it
and distribute it.
#3 In order to exploit this bug, the attacker must execute some malicious code
on your system *first*, or modify core system files on your system *first*. If
they can do that, they could exploit this bash backdoor, or any one of numerous
other possible backdoors.
It's not as simple (or accurate) as that. dhclient that runs on your
machine to pick up IP addresses from a dhcp server runs as root, and
uses bash directly (regardless of what yours or roots shell is). I
don't know what OS X does specifically/, /if they're running a patched
version of dhclient or similar that doesn't explicitly call root.
DHCP servers can pass out environment variables for end hosts to use.
It's a standard configuration thing for dhcp servers, and very easy to
set up. So potentially if connect to a public wifi endpoint, or your
router is compromised (and there are people actively attacking routers
to set this up), your machine could end up being compromised just
because it asked for an IP address.
That's just /one /attack vector that doesn't require direct access or an
existing compromise on a machine. It's very likely there are other
tools that call bash directly on your machine and some of them might do
as part of very normal processes that you wouldn't even think of.
Now take a guess at 1) how many people patch their routers regularly,
and 2) how many router companies actually bother to patch their
equipment, 3) how many people have routers that are EOL and not
receiving patches anyway.
In general I would encourage people to be *very* cautious until they
know that the version of bash on their machine has been patched. Given
that today they're still finding ways the patches aren't working
(http://seclists.org/oss-sec/2014/q3/741), we're most definitely not out
of the woods yet.
Paul
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
