Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: New Linux LPE via GSMIOC_SETCONF_DLCI?
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Greg KH <greg () kroah com>
Date: Wed, 17 Apr 2024 08:19:15 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Tue, Apr 16, 2024 at 10:16:02PM +0200, Solar Designer wrote:
On Wed, Apr 10, 2024 at 11:14:57PM +0200, Solar Designer wrote:
On Wed, Apr 10, 2024 at 09:56:33PM +0200, Dr. Christopher Kunz wrote:
1. YuriiCrimson's version (April 6-ish)
It seems to use GSMIOC_SETCONF_DLCI, PoC supposedly works on current Ubuntu
and Debians, but is stopped by LKRG.
PoC and writeup are here:
https://github.com/YuriiCrimson/ExploitGSM/tree/main
According to YuriiCrimson:
https://twitter.com/YuriiCrimson/status/1778163455075217443
"Exploit 6.4 - 6.5 using race condition in gsm_dlci_config.
Exploit for 5.15 - 6.5. using race condition in
gsm_dlci_open->gsm_modem_update->gsm_modem_upd_via_msc->gsm_control_wait.
We just waiting on gsm_cobtrol_wait and restart config for make free
dlci)). So it two zero days."
3. ZDI-24-020 / CVE-2023-6546 (January)
This also exploits a race condition resulting UAF in the gsm_dlci struct.
It's a little older.
Writeup and PoC: https://github.com/Nassim-Asrir/ZDI-24-020/
What do you make of this?
So it sounds like there are 3 different bugs recently found in this same
subsystem. Perhaps someone can follow up with links to relevant commits.
I'm puzzled by the lack of follow-ups on this, but anyway @FFFVR_
tweeted they also found (more) vulnerabilities in the n_gsm driver:
https://twitter.com/FFFVR_/status/1778244738833080571
There has been lots of bugs in this driver once people started running
fuzzing on the code, which is why we applied the following patch last
year as you mention:
Also relevant is this mainline commit from August 2023:
tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67c37756898a
which is now being backported to stable/longterm kernels:
It's now in the following released kernels:
4.19.312 5.4.274 5.10.215 5.15.155 6.1.86 6.6
If people are curious in helping out, here's a good summary of the
issues involved from the current maintainer of the driver:
https://lore.kernel.org/r/DB9PR10MB5881D2170678C169FB42A423E0082 () DB9PR10MB5881 EURPRD10 PROD OUTLOOK COM
Subject: Backport of 67c37756898a ("tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc") to older stable
series? (at least 6.1.y)
https://lore.kernel.org/stable/ZhbiWp9DexB_gJh_ () eldamar lan/
Since there are multiple known unfixed bugs in this driver and since it
poses unjustified risk on most systems anyway, here are some mitigations
we can apply:
1. At kernel build time, don't enable CONFIG_N_GSM.
I recommend this one, almost no one has this hardware, it is very
specialized, so unless you have hardware that requires it, don't use it.
thanks,
greg k-h
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 10)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 10)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 16)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Greg KH (Apr 16)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Donald Buczek (Apr 11)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 11)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 11)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 11)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Kyle Zeng (Apr 11)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Kyle Zeng (Apr 11)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->