linux 2014-9-26 10:11
Mac bash shell 漏洞更新 - Mac bash brew update
繼上次 Unix-Like 平台上的 OpenSSL 全球爆出 Heartbleed 漏洞,現在 Bash 也出現了威脅不小的漏洞,稱之為Shell Shock 。在幾個小時前剛由美國政府的國家弱點資料庫(NVD)發表了最新的弱點通報。範圍涵蓋絕大部分的 Unix-Like 作業系統,如Linux、BSD、MAC OS X 等等。<br><br>先前的 Heartbleed 漏洞只影響 OpenSSL ,這是傳輸資料加密相關的程式有漏洞,而駭客可以藉此攻破系統。而這次的 Shell Shock 漏洞是 Linux 用戶、系統管理員常使用的 Bash ,在許多版本中都有這個遠端執行程式碼的安全性漏洞。<br><br>如果你的網頁伺服器程式中有呼叫 Bash Shell 的話,駭客能夠利用漏洞去改變其環境變數,遠端執行惡意的程式碼,取得系統資料。<br><br>如何測試你的系統:<br>系統管理者可以在 Shell 底下輸入這串命令<br>[quote]<br>env x='() { :;}; echo XD' bash -c "echo This is a test code"<br>[/quote]<br><font color="Red" size="3">如果回傳「XD」就代表有洞快補。</font><br>如果回傳「bash: warning: x: ignoring function definition attempt」就代表沒事,可以logout了。<br><br>這邊介紹 Mac OSX 如何透過 brew 更新:<br>[quote]<br>$ <font color="DarkRed">which bash</font><br>/bin/bash<br>$ <font color="DarkRed">/bin/bash --version</font><br>GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)<br>Copyright (C) 2007 Free Software Foundation, Inc.<br>[/quote]<br>The most current bash is 4.3.25<br><br>If you don't have Xcode installed, you'll need the Xcode command line tools, which can be installed by<br>[quote]<br>$ xcode-select --install<br>[/quote]<br><br>To update Brew:<br>[quote]<br>brew update<br>[/quote]<br><br>To get the latest bash 4.3.25:<br>[quote]<br>$ brew install bash<br>[/quote]<br>This installs bash into <font color="DarkGreen">/usr/local/Cellar/bash/4.3.25/bin/bash</font><br><br>The old bash and sh still exists at /bin, so after installing you'll rename the old executables to a new file.<br>[quote]<br>$ sudo mv /bin/bash /bin/bash_old<br>$ sudo mv /bin/sh /bin/sh_old<br>[/quote]<br><br>If you are very paranoid, you can remove execute permissions on the bash_old<br>[quote]<br>$ sudo chmod a-x /bin/bash_old /bin/sh_old<br>[/quote]<br><br>Then create a symbolic link to the new bash 4.3.25 that brew installed.<br>[quote]<br>$ sudo ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /bin/bash<br>$ sudo ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /bin/sh<br>[/quote]<br><br>到這邊就算完成了...接著再檢查一下<br>[quote]<br>$ <font color="Red">bash --version</font><br>[/quote]<br>GNU bash, version 4.3.25(1)-release (x86_64-apple-darwin13.4.0)<br>Copyright (C) 2013 Free Software Foundation, Inc.<br>License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html><br><br>This is free software; you are free to change and redistribute it.<br>There is NO WARRANTY, to the extent permitted by law.<br><br>在跑一次:<br>[quote]<br>$ <font color="Red">env x='() { :;}; echo XD' bash -c "echo This is a test code"</font><br>[/quote]<br>bash: warning: x: ignoring function definition attempt<br>bash: 錯誤,輸入的函數定義為 `x'<br>This is a test code<br><br><br>終於搞定...收工!<br><br><font color="Blue" size="4">Linux如何檢測及修復:</font><br><a href="http://dz.adj.idv.tw/thread-148373-1-1.html" target="_blank">http://dz.adj.idv.tw/thread-148373-1-1.html</a><br>