Bzip2 (bzexe): race condition (CVE-2011-4089)

Sun, 06 Nov 2011 17:14:53 +0100
Tags: security

bzexe (a shell script provided by the bzip2 package) in used to compress executables (ELF file), and have them automatically uncompressed and executed when you run them. Here is an example with the "dd" command:

# file /bin/dd
/bin/dd:  ELF 64-bit LSB executable, x86-64, ...
# bzexe /bin/dd
  /bin/dd:  2.035:1,  3.931 bits/byte, 50.87% saved, 53240 in, 26158 out.
# dd --version
dd (coreutils) 8.5             << now "dd" uncompress itself and get executed

A while ago, I reported a bug to Debian, because I found that the decompression phase was prone to a race condition vulnerability. The problem has been (over)described in the original Debian's bug report (BUG#632862) and on the full-disclosure list (link1, link2).

Because bzexe is rarely used, I didn't wrote a PoC. But when I saw a bunch of people that wrote their own exploits (link3, link4 and link5), I finally decided to wrote one! It uses the Inotify API to give it the best chances to win the race and on my Dual-core, it actually always succeed!

The 22 first lines of a bzexe's compressed program are always the same and match a MD5 fingerprint equal to "614839de3a0d08efc32e16041a22c7da". Therefore, in order to find all the vulnerable programs on a system, execute the following:

for f in $(find /{,usr/}{bin,sbin} -type f); do 
  CS="$(head -22 ${f}|md5sum)"
  [ "${CS%% *}" = "614839de3a0d08efc32e16041a22c7da" ] &&
    echo ${f}

Other references: