Published: 16/04/2014 Updated: 17/04/2014
CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9
VMScore: 465
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

The bzexe command in bzip2 1.0.5 and previous versions generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

Affected Products

Vendor Product Versions
BzipBzip21.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4

Vendor Advisories

Debian Bug report logs - #632862 insecure temporary file creation (bzexe) Package: bzip2; Maintainer for bzip2 is Anibal Monsalve Salazar <anibal@debianorg>; Source for bzip2 is src:bzip2 (PTS, buildd, popcon) Reported by: vladz <vladz@devzerofr> Date: Wed, 6 Jul 2011 15:21:02 UTC Severity: normal Tags: security ...
Executables compressed by bzexe could be made to run programs as your login ...


/* bzexec_PoCc -- bzip2 (bzexe) race condition PoC Author: vladz (vladzdevzerofr) Tested on: Debian 603 up to date (bzip2 version 105-6) This PoC exploits a race condition in the bzexe script This tool is rarely used so I wasn't supposed to write an exploit But some people on the full-disclosure list had doubts ...