On 4/10/24 21:56, Dr. Christopher Kunz wrote: > Hello all, > > it seems that a new LPE (or two) in the Linux kernel has been dropped. The > situation is a bit confusing and after discussing with Alexander off-list, I > decided to post the various versions of the bug and the corresponding PoCs. > > Maybe we can clear this up together. > > 1. YuriiCrimson's version (April 6-ish) > > It seems to use GSMIOC_SETCONF_DLCI, PoC supposedly works on current Ubuntu > and Debians, but is stopped by LKRG.
Thanks! For other distros or self-rolled kernels: Depends on CONFIG_N_GSM. D. > PoC and writeup are here: https://github.com/YuriiCrimson/ExploitGSM/tree/main > > 2. jmpeaux' version (March 21) > > This seems similar, also using GSMIOC_SETCONF_DLCI. In the screen shots, even > the working dir for the PoC is identical to 1). Yurii claims jmpeaux stole > his work. > > Writeup: https://jmpeax.dev/The-tale-of-a-GSM-Kernel-LPE.html > > PoC: https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit/tree/main > > And then there's > > 3. ZDI-24-020 / CVE-2023-6546 (January) > > This also exploits a race condition resulting UAF in the gsm_dlci struct. > It's a little older. > > Writeup and PoC: https://github.com/Nassim-Asrir/ZDI-24-020/ > > What do you make of this? > > Best regards, > > --cku > -- Donald Buczek [email protected] Tel: +49 30 8413 1433
