tl;dr: OS X is not vulnerable to shellshock exploitation via DHCP. So the shellshock bug is kinda nasty for anything running bash, particularly if you have services like Apache (and particularly with CGI scripts that use bash) open to the world. There are already active remote exploits as well as local exploits that target applications like VMWare Fusion (example). OS X comes with a vulnerable bash, and if you don’t want to wait (e.g. you are running Apache to the world) then you can update using these instructions. Now since DHCPclient implementations on Linux can be vulnerable this raises the question as to whether OS X is vulnerable to an attack via DHCP https://twitter.com/diodesign/status/515217019008856064 Looking at the Apple write of bootp (which handles BOOTP and DHCP in OS X starting with 10.0 and also looking into 10.1 and 10.9.4 (the latest for which source is downloadable), there are no calls to
system() so we’re all good on that front. There is, however, in all of them, a call to popen, which sits inside
tftp_get(). Thanks to Joe Vennix for pointing this out: https://twitter.com/joevennix/status/515254979473321984 Reading the man page for popen() reveals: > The command argument is a pointer to a null-terminated string containing a shell command line. This command is passed to /bin/sh, using the -c flag; interpretation, if any, is performed by the shell. That is called in the version supplied with 10.0:
./bsdpc.tproj/bsdpc.c: local_filename = tftp_get(inet_ntoa(server), path, &len, 5); Reader ErichL (see comments) points out that early versions of OS X (actually 10.0-10.2, not 10.3) didn’t come with bash, and Alastair points out that while the login shell was tcsh, the system shell was probably BSD’s Bourne shell, also not the GNU project’s Bourne Again SHell (which fits with the BSD heritage of OS X). So 10.0 isn’t affected.
tftp_get() function is not called in the version supplied with 10.1, nor in 10.9.4 (and I assume fairly safely everwhere in between). Reader ErichL further points out that 10.8+ use configd instead of bootp (the software) and checking that code doesn’t reveal any system or popen calls. I’ve also tested the latest developer build of 10.10 (Yosemite) using some OS X-supplied DTrace magic, which reveals no spawning of bash or sh under a normal DHCP connection (i.e. no fancy options). The commands I used for checking are:
sudo execsnoop -c sh
sudo execsnoop -c bash I hope the above has been of some help getting to grips with shellshock on OS X and welcome feedback on this blog, or if it pertains to the patch script then leave a comment on the gist itself. Kudos and thanks to Yinette and Rob for their hard work on shellshock more generally.