Published: 16/04/2014 Updated: 17/04/2014

CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9

VMScore: 465

Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

The bzexe command in bzip2 1.0.5 and previous versions generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

Vulnerable Product	Search on Vulmon	Subscribe to Product
bzip bzip2 1.0
bzip bzip2 1.0.3
bzip bzip2
bzip bzip2 1.0.2
bzip bzip2 1.0.1

Debian Bug report logs - #632862 insecure temporary file creation (bzexe) Package: bzip2; Maintainer for bzip2 is Anibal Monsalve Salazar <anibal@debianorg>; Source for bzip2 is src:bzip2 (PTS, buildd, popcon) Reported by: vladz <vladz@devzerofr> Date: Wed, 6 Jul 2011 15:21:02 UTC Severity: normal Tags: security ...

Executables compressed by bzexe could be made to run programs as your login ...

/* bzexec_PoCc -- bzip2 (bzexe) race condition PoC Author: vladz (vladzdevzerofr) Tested on: Debian 603 up to date (bzip2 version 105-6) This PoC exploits a race condition in the bzexe script This tool is rarely used so I wasn't supposed to write an exploit But some people on the full-disclosure list had doubts ...

CWE-264 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632862 http://www.exploit-db.com/exploits/18147 http://seclists.org/fulldisclosure/2011/Oct/804 http://www.openwall.com/lists/oss-security/2011/10/28/16 http://www.ubuntu.com/usn/USN-1308-1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632862 https://usn.ubuntu.com/1308-1/https://nvd.nist.gov https://www.exploit-db.com/exploits/18147/

CVE-2011-4089

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect