Received: by 2002:ab2:1347:0:b0:1f4:ac9d:b246 with SMTP id g7csp421858lqg; Thu, 11 Apr 2024 07:07:23 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVAEp3hxN13Iec16iBtTKI/Ck+Bh/05iMl0v18Fx3YKLKyeGZSE2+EKY/ggC9/7I8sx6WWx8YoCoS6ZCdzDIGkoquT4GzTkLR2P/2bTpw== X-Google-Smtp-Source: AGHT+IHr7pvVQH8K6Cem4Ybyz7Bod/Qa9o7eN1RU67K+89QWqKeEu5S2hiwIFeA3XxiebDKYnuou X-Received: by 2002:a05:622a:1108:b0:432:f3be:e16b with SMTP id e8-20020a05622a110800b00432f3bee16bmr6069645qty.57.1712844442693; Thu, 11 Apr 2024 07:07:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1712844442; cv=none; d=google.com; s=arc-20160816; b=xY7XOrrIFVM5ovSRRP5zsRoPnuHNAMDc9D0r5QmM7uanOzgb4RhZ9OjUCVRcPhuUVz su3JgfbcxhZCHlx5Wr2qEAOoDmjs40r+GOK29R7aKYOnEd/f4Lj1r8IQWZm1CnJicC+h r1ghX2FxoxH/2bIT8h6Ei7uVFIEF9kABpV/8a8QLyvsnUrcSxEhaBCTPkABhG2TueaRI 52YJ5dsJGBxZk6rf4EfA5fzZwqVEb6dGD4poPgwVgtOEtcColvkFtc6oHJY++dSlNQ7V 7UFzwXBxxGh0u+cZpseZE5icszt/kRPZHSPa0G8oY9uKyfGV+C2BGJD0zyzX4RMwe3p8 6AaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:to:from:date :delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=vpSgDn0g0aEXbV1593vlxka66UP73c7iqn1/0w8okt4=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=dJEqgFLu1WZl6DZPxJM+fMN6nN1T+ri3g3dM3iikvbs8achUUUEZugWOHKstoib8dc fHEkpmpsbyXCopBSxGcMysr+3N+y4JSK8lpUvp0I+roGRcZY2jfKd3ZkeYTnnS72wzNB 9bUWteHPRvU9CFoTz4ufXnMuTIL93CmXjd82DuchlSheZtaGIK8zRYYwn3uCVEhVerrh jGN1m7/ubNMPQe6Dlj38eNqWp3xAkYDnWT0Me83wivUN+yJeIsl/2kV7ee4QhUhu/3DN sUI8etIcTbp27qA6cxKOXrCcPuqHb5EZgdiTLzJvEV2fTVmqY9Crdf++bh2W+PJ8+yoN 6+Mg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30005-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30005-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id w13-20020ac857cd000000b004365a39bbb9si1531034qta.386.2024.04.11.07.07.22 for ; Thu, 11 Apr 2024 07:07:22 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30005-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30005-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30005-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 1227 invoked by uid 550); 11 Apr 2024 14:07:05 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 1032 invoked from network); 11 Apr 2024 14:06:56 -0000 Date: Thu, 11 Apr 2024 16:06:54 +0200 From: Solar Designer To: oss-security@lists.openwall.com Message-ID: <20240411140654.GA24980@openwall.com> References: <607d5716-128f-44c5-ab52-6dde4ca6e8a4@christopher-kunz.de> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.4.2.3i Subject: Re: [oss-security] New Linux LPE via GSMIOC_SETCONF_DLCI? On Thu, Apr 11, 2024 at 10:32:59AM +0200, Dr. Christopher Kunz wrote: > on a freshly installed and fully updated default Debian 12 VM (from the > current netinst iso), the first two exploits yield different results. > > >PoC and writeup are here: > >https://github.com/YuriiCrimson/ExploitGSM/tree/main > > This, let's call it "Yurii's version", works as advertised: > > $ ./ExploitGSM debian > kallsyms restricted, begin retvial kallsyms table > detected kernel path-> /boot/vmlinuz-6.1.0-18-amd64 > detected compressed format -> xz > Uncompressed kernel size -> 65902908 > successfully taken kernel! > begin try leak startup_xen! > startup_xen leaked address? -> ffffffff8c86f1c0 > text leaked address???????? -> ffffffff8a800000 > lockdep_map_size???? -> 32 > spinlock_t_size????? -> 4 > mutex_size?????????? -> 32 > gsm_mux_event_offset -> 56 > Let go thread > We get root, spawn shell > root@debianexploitgsm:/root# id > uid=0(root) gid=0(root) groups=0(root) There are two exploits in Yurii's repo above, according to Yurii for two different bugs. The above is one of them. Perhaps also try the other? > With regards to Yurii's PoC, I'd say that this can indeed be classified > as a working 0day LPE in the default configuration. > > We don't have a CVE for this yet, do we? I don't know, and apparently it'd need to be two CVEs for two bugs that Yurii exploits. Besides the already mentioned CVE-2023-6546, there is: CVE-2023-52564: Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" https://lists.openwall.net/linux-cve-announce/2024/03/02/54 The fixes for both CVE-2023-6546 and CVE-2023-52564 are in gsm_cleanup_mux(), but they seem to be different changes in there. Maybe CVE-2023-52564 is one of the bugs Yurii exploits, or maybe not. I didn't look into this closely enough to tell. Alexander