Tag Archives: security

Bash vulnerability – fix for MAC owners

Last days we heard about really dangerous hole in almost any systems which contain linux/unix. Why is so dangerous ? Because it enables hackers to execute commands to take over servers and systems. Heartbleed, by contrast, leaked users’ passwords and other sensitive information, and did not allow third parties to directly hijack affected systems.

Because of this is HIGHLY recommended to do update in any Linux/Unix system quickly.

Because for MAC owners there is no official patch they are still unsecured. But there is a bit more tricky way how to do it yourself.

Lets start:

1. Check if your system is vulnerable by putting this command in to Terminal

 env x='() { :;}; echo vulnerable' bash -c 'echo hello'

if you see

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

it means you are secured (at the moment of writing the post only partially)
If you see “vulnerable” you need to apply the patch. OS X 10.9.5 (the latest stable release at the moment) ships with Bash v3.2.51.

2. Check the bash version

$ bash --version

You should see this:

GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.

4. Check if you have Xcode installed. If not install it from AppStore. If you have it/installed do this:

a. With Xcode open, click the Xcode menu in your top menu bar.
b. Click Preferences.
c. Click the Downloads tab.
d. Click Install next to the Command Line Tools in the list of downloads.

Note: If you don’t see “Command Line Tools” in the downloads tab, then that means you’ve already got them and are ready to go!

5. Follow next steps to update bash:

$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0  
$ cd ..
$ sudo xcodebuild
$ sudo cp /bin/bash /bin/bash.old # make copy of old bash
$ sudo cp /bin/sh /bin/sh.old # make copy of old sh
$ build/Release/bash --version # GNU bash, version 3.2.53(1)-release
$ build/Release/sh --version   # GNU bash, version 3.2.53(1)-release
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin

For security reasons, and after testing, set chmod -x the old versions to ensure they aren’t re-used.

$ sudo chmod a-x /bin/bash.old /bin/sh.old

Go to point 1 and do the same test. It should pass the test correctly now.

 

Thanks for Milton Keynes for a tip.

 

 

SkipFish – a nice web application security reconnaissance tool

small_2772914796All, or almost all companies face with the problem of security of their websites. Usually after some quick research they are deciding to hire some security specialist or a security company who help them solve potential security issues. But from time to time we can find on the web market some nice tools which can help to make it easier or which can notify us about potential problems.

One of those tools can be SkipFish. Based on info from author:

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Key features:

  • High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
  • Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
  • Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

The tool is believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

I really recommend you this tool. You can find it on https://code.google.com/p/skipfish/

photo credit: misterbisson via photopin cc