Written by two experienced penetration testers the material presented discusses the basics of the OS X environment and its vulnerabilities. Including but limited to; application porting, virtualization utilization and offensive tactics at the kernel, OS and wireless level. This book provides a comprehensive in-depth guide to exploiting and compromising the OS X platform while offering the necessary defense and countermeasure techniques that can be used to stop hackers. As a resource to the reader, the companion website will provide links from the authors, commentary and updates.
The book is a like a slimmed-down version of Hacking Exposed for the Mac. Country of Publication: US Dimensions cm : Help Centre. Track My Order. My Wishlist Sign In Join. Do I need this patch if I'm running Hamachi?
Does that count as dangerous remote access? Thanks for the link. I'd patch if I were you. DHCP has been proven to be exploitable by this, and that's likely a part of Hamachi.
Hi there, I am on Mountain Lion, and Vulnerable. For me there is really the need to fix it due to my work ;. Niek, there's someone higher up the list with an older version like you and me. Thanks Justin and Bryan, top tips!
The file "BSD. I'm too having the same error. I'm running Mac OSX Even downloaded and manually installed command line tools for os x Running Every step works except the xcodebuild that results in:. Thanks, everything worked perfectly.
One question: I'm now left with a visible folder in my home directory called bash-fix. Is it safe to delete that, or if that where the now updated version of bash is living? When I ran through the Terminal steps described in your article and ran the line command to check if my system was still vulnerable, I got the following response:.
Even if you don't understand what that means, it's easy to fix. Just install them by doing the following:. Once installed, quit your terminal window, delete the bash-fix folder from your user home folder, and start again from the beginning. I've updated the article to reflect this. I downloaded Xcode, opened it no problem, did all the steps above and updated my bash, then reset the default But I still get 'vulnerable' this i a test. I also closed terminal rechecked the version, which is correct, and still the test says vulnerable. Any ideas? Wondering even though it shows the newest version and it stills says vulnerable if I can simply go back through the whole process exactly the same way or if I should do some stop gap measure.
Have yet to try on my snow leopard Imac. Chances are something didn't copy over correctly. Excellent detailed instructions and advice. Did everything as stated above, worked great, until the very end. This is what I get when I run the test the final time:. The error statement is what you want to see. It means that an attempt to exploit your system threw an error instead of executing the exploit. What directory should the commands in Step 1, Step 2, etc. Does it matter?
That error will not effect the fix included here, but I found I could remove it the error! In Terminal you will first need to create the Xcode folder:- ie. Then create BSD. There is a new patch out 3. An additional step has been added to the instructions in this article to fix it. If you already ran this patch, all you have to do is delete your bash-fix folder from your user directory and follow the instructions from step 1. Sounds like you may not have Xcode or the Command Line Tools installed. Check out the Prerequisites section in the article above.
Try typing this command, then try again:. Very unlikely, but if you'd like to be certain, this patch can be totally reversed by simply entering the following two commands in Terminal to restore the backup you made in step 3 above, before installing Apple's patch once it's finally made available :.
Should i just delete that with normal Finder Trash? So even though I haven't yet installed the second-level patch, my 3. I do not have the expertise to do this myself Eh, I think I can answer my own question here! This will produce files which will run in 32 and 64 bit modes as appropriate for the machine boot mode I'm working on Leopard I thought that maybe they were packed up inside of Xcode by default so I was like "hey lets try it anyway".
First off the bash build doesn't download, returns with an error for some reason. Something about SSL encryption not recognizing a certificate. Said "off with that" and just downloaded and put the bash folder into bash-fix. Is there a workaround?
I'm not a programmer and I can't type a line of code in a million years so if I'm doing something wrong I likely don't even know what, but the fact that it did not find the "seq" command leads me to believe that Xcode 3. Is there a way to get them externally?
I haven't been able to try this myself, but a little searching turned up this little terminal command to get it to download the xcode command line tools. Let me know if it doesn't work. Alex, see my response to Norman below. I'm on an older machine running OS The procedure fails for me at line 3 of step 1 with the following error:.
I don't know what any of this means. I can put that url in Safari which downloads 2 files: bash Now what do I do?
Update: Well I read further down in the instructions and manually ran tar. The file in my directory did not have the. So I guess I'm missing the command line tool, "seq" This appears to be the same problem Alex is having. You're missing the " -" space, minus sign that should be at the end of that command. I don't know when this command became available for OS X, but it certainly isn't on my fully patched Leopard system. Then repeat that command with instead of , and instead of You must do them in the proper order!
Ok so here I'm getting another error, actually the same SSL certificate error I was getting earlier :. Tried adding "-k" at the end of the pasted line of code, did not work, returned the same text as above.
So like this:. Personally, I did not have any SSL certificate issue getting the patches themselves — just when pulling the base bash kit from Apple's servers. Obviously you are getting an error, so something must be different on your system older certificate authority info in your keychain, older version of OS X, not the same OS X security patches, etc. Based on the output you showed in your second screenshot, it appears that the version of xcode-select you have on your system didn't understand what "—install" means as an option. Can you tell us which version of OS X you are trying this on, and what the version of Xcode is launch the Xcode application, then choose the "About Xcode" option from the Xcode menu?
Ok, just checked, so first off, my version of OSX is Leopard My version of Xcode is 3. The -k thing before curl did work, I was able to download all the files directly from the Terminal. The -seq workaround worked as well, and I was able to download the patches directly from the Terminal too.
Written by two experienced penetration testers the material presented discusses the basics of the OS X environment and its vulnerabilities. Including but limited. Editorial Reviews. Review. "Authors Robert Bathurst, Russ Rogers and Alijohn Ghassemlouei detail the fundamentals of the OS X environment and its many.