<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
New Linux LPE via GSMIOC_SETCONF_DLCI?
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: "Dr. Christopher Kunz" <info () christopher-kunz de>
Date: Wed, 10 Apr 2024 21:56:33 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello all,
it seems that a new LPE (or two) in the Linux kernel has been dropped. The situation is a bit confusing and after
discussing with Alexander off-list, I decided to post the various versions of the bug and the corresponding PoCs.
Maybe we can clear this up together.
1. YuriiCrimson's version (April 6-ish)
It seems to use GSMIOC_SETCONF_DLCI, PoC supposedly works on current Ubuntu and Debians, but is stopped by LKRG.
PoC and writeup are here: https://github.com/YuriiCrimson/ExploitGSM/tree/main
2. jmpeaux' version (March 21)
This seems similar, also using GSMIOC_SETCONF_DLCI. In the screen shots, even the working dir for the PoC is identical
to 1). Yurii claims jmpeaux stole his work.
Writeup: https://jmpeax.dev/The-tale-of-a-GSM-Kernel-LPE.html
PoC: https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit/tree/main
And then there's
3. ZDI-24-020 / CVE-2023-6546 (January)
This also exploits a race condition resulting UAF in the gsm_dlci struct. It's a little older.
Writeup and PoC: https://github.com/Nassim-Asrir/ZDI-24-020/
What do you make of this?
Best regards,
--cku
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 10)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->