On 4/10/24 21:56, Dr. Christopher Kunz wrote:
> Hello all,
>
> it seems that a new LPE (or two) in the Linux kernel has been dropped. The situation is a bit confusing and after discussing with Alexander off-list, I decided to post the various versions of the bug and the corresponding PoCs.
>
> Maybe we can clear this up together.
>
> 1. YuriiCrimson's version (April 6-ish)
>
> It seems to use GSMIOC_SETCONF_DLCI, PoC supposedly works on current Ubuntu and Debians, but is stopped by LKRG.
Thanks!
For other distros or self-rolled kernels: Depends on CONFIG_N_GSM.
D.
> PoC and writeup are here: https://github.com/YuriiCrimson/ExploitGSM/tree/main
>
> 2. jmpeaux' version (March 21)
>
> This seems similar, also using GSMIOC_SETCONF_DLCI. In the screen shots, even the working dir for the PoC is identical to 1). Yurii claims jmpeaux stole his work.
>
> Writeup: https://jmpeax.dev/The-tale-of-a-GSM-Kernel-LPE.html
>
> PoC: https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit/tree/main
>
> And then there's
>
> 3. ZDI-24-020 / CVE-2023-6546 (January)
>
> This also exploits a race condition resulting UAF in the gsm_dlci struct. It's a little older.
>
> Writeup and PoC: https://github.com/Nassim-Asrir/ZDI-24-020/
>
> What do you make of this?
>
> Best regards,
>
> --cku
>
--
Donald Buczek
[email protected]
Tel: +49 30 8413 1433