Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240410211457.GA20881@openwall.com>
Date: Wed, 10 Apr 2024 23:14:57 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: New Linux LPE via GSMIOC_SETCONF_DLCI?

On Wed, Apr 10, 2024 at 09:56:33PM +0200, Dr. Christopher Kunz wrote:
> 1. YuriiCrimson's version (April 6-ish)
> 
> It seems to use GSMIOC_SETCONF_DLCI, PoC supposedly works on current Ubuntu 
> and Debians, but is stopped by LKRG.
> 
> PoC and writeup are here: 
> https://github.com/YuriiCrimson/ExploitGSM/tree/main

According to YuriiCrimson:

https://twitter.com/YuriiCrimson/status/1778163455075217443

"Exploit 6.4 - 6.5 using race condition in gsm_dlci_config.
Exploit for 5.15 - 6.5. using race condition in
gsm_dlci_open->gsm_modem_update->gsm_modem_upd_via_msc->gsm_control_wait.
We just waiting on gsm_cobtrol_wait and restart config for make free
dlci)). So it two zero days."

> 3. ZDI-24-020 / CVE-2023-6546 (January)
> 
> This also exploits a race condition resulting UAF in the gsm_dlci struct. 
> It's a little older.
> 
> Writeup and PoC: https://github.com/Nassim-Asrir/ZDI-24-020/
> 
> What do you make of this?

So it sounds like there are 3 different bugs recently found in this same
subsystem.  Perhaps someone can follow up with links to relevant commits.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.