bash, OS X dhcp, and you

tl;dr: OS X is not vulnerable to shellshock exploitation via DHCP. So the shellshock bug is kinda nasty for anything running bash, particularly if you have services like Apache (and particularly with CGI scripts that use bash) open to the world. There are already active remote exploits as well as local exploits that target applications like VMWare Fusion (example). OS X comes with a vulnerable bash, and if you don’t want to wait (e.g. you are running Apache to the world) then you can update using these instructions. Now since DHCPclient implementations on Linux can be vulnerable this raises the question as to whether OS X is vulnerable to an attack via DHCP https://twitter.com/diodesign/status/515217019008856064 Looking at the Apple write of bootp (which handles BOOTP and DHCP in OS X starting with 10.0 and also looking into 10.1 and 10.9.4 (the latest for which source is downloadable), there are no calls to system() so we’re all good on that front. There is, however, in all of them, a call to popen, which sits inside tftp_get(). Thanks to Joe Vennix for pointing this out: https://twitter.com/joevennix/status/515254979473321984 Reading the man page for popen() reveals: > The command argument is a pointer to a null-terminated string containing a shell command line. This command is passed to /bin/sh, using the -c flag; interpretation, if any, is performed by the shell. That is called in the version supplied with 10.0: ./bsdpc.tproj/bsdpc.c: local_filename = tftp_get(inet_ntoa(server), path, &len, 5); Reader ErichL (see comments) points out that early versions of OS X (actually 10.0-10.2, not 10.3) didn’t come with bash, and Alastair points out that while the login shell was tcsh, the system shell was probably BSD’s Bourne shell, also not the GNU project’s Bourne Again SHell (which fits with the BSD heritage of OS X). So 10.0 isn’t affected.

The tftp_get() function is not called in the version supplied with 10.1, nor in 10.9.4 (and I assume fairly safely everwhere in between). Reader ErichL further points out that 10.8+ use configd instead of bootp (the software) and checking that code doesn’t reveal any system or popen calls. I’ve also tested the latest developer build of 10.10 (Yosemite) using some OS X-supplied DTrace magic, which reveals no spawning of bash or sh under a normal DHCP connection (i.e. no fancy options). The commands I used for checking are: sudo execsnoop -c sh sudo execsnoop -c bash I hope the above has been of some help getting to grips with shellshock on OS X and welcome feedback on this blog, or if it pertains to the patch script then leave a comment on the gist itself. Kudos and thanks to Yinette and Rob for their hard work on shellshock more generally.

6 thoughts on “bash, OS X dhcp, and you

  1. Correct me if I’m wrong, but everything I gathered from 10.8 and 10.9’s (and iOS) DHCP client is that it runs in the configd process. The BOOTP daemon isn’t even running and only exists AFAIK for backwards compatibility.

    Also noteworthy is that 10.0-10.3 IIRC don’t even include the Bash shell and the default shell is tcsh.

    1. It wouldn’t have run tcsh though. tcsh was the default *login* shell, not the system Bourne shell. It would have run /bin/sh, which I think (prior to Bash) used to be the BSD version of the Bourne shell. It wouldn’t have been vulnerable to this issue.

      1. Yeah that does make more sense. I distinctly remember on OS X back in those days, the first thing I did was install Bash. Honestly, I couldn’t exactly recall what shell it was, just that it didn’t work as I expected so I didn’t spend much time figuring out what shell it was and promptly kicked it to the curb in favor of Bash.

Leave a Reply

Your email address will not be published. Required fields are marked *