oss-sec mailing list archives

Re: New Linux LPE via GSMIOC_SETCONF_DLCI?

From: Solar Designer <solar () openwall com>
Date: Wed, 10 Apr 2024 23:14:57 +0200

On Wed, Apr 10, 2024 at 09:56:33PM +0200, Dr. Christopher Kunz wrote:

1. YuriiCrimson's version (April 6-ish)

It seems to use GSMIOC_SETCONF_DLCI, PoC supposedly works on current Ubuntu 
and Debians, but is stopped by LKRG.

PoC and writeup are here: 
https://github.com/YuriiCrimson/ExploitGSM/tree/main


According to YuriiCrimson:

https://twitter.com/YuriiCrimson/status/1778163455075217443

"Exploit 6.4 - 6.5 using race condition in gsm_dlci_config.
Exploit for 5.15 - 6.5. using race condition in
gsm_dlci_open->gsm_modem_update->gsm_modem_upd_via_msc->gsm_control_wait.
We just waiting on gsm_cobtrol_wait and restart config for make free
dlci)). So it two zero days."

3. ZDI-24-020 / CVE-2023-6546 (January)

This also exploits a race condition resulting UAF in the gsm_dlci struct. 
It's a little older.

Writeup and PoC: https://github.com/Nassim-Asrir/ZDI-24-020/

What do you make of this?


So it sounds like there are 3 different bugs recently found in this same
subsystem.  Perhaps someone can follow up with links to relevant commits.

Alexander

Current thread:

New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 10)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 10)
  - Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 16)
    - Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Greg KH (Apr 16)
    - Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 17)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Donald Buczek (Apr 11)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 11)
  - Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 11)
    - Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 11)
    - Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Kyle Zeng (Apr 11)
    - Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Kyle Zeng (Apr 11)