ExploitGSM icon indicating copy to clipboard operation
ExploitGSM copied to clipboard
verified publisher icon YuriiCrimson

Does this have a CVE yet ?

Open wmealing opened this issue 1 year ago • 5 comments

If you're interested in the process, it is documented in kernel and you can see it here:

https://lwn.net/ml/linux-kernel/2024021314-unwelcome-shrill-690e@gregkh/

wmealing avatar Apr 10 '24 11:04 wmealing

This is CVE-2023-6546 and this repo is sus.

fdellwing avatar Apr 10 '24 12:04 fdellwing

This is CVE-2023-6546 and this repo is sus.

this not CVE 2023 6546

YuriiCrimson avatar Apr 10 '24 13:04 YuriiCrimson

This is CVE-2023-6546 and this repo is sus.

this not CVE 2023 6546

Trigger looks the same calling GSMIOC_SETCONF with a dangling tty reference.

also interesting you happened to find/use the same KASLR leak that the author of CVE-2023-6546 which was unknown publicly previous to his exploit? (XEN_NOTE)

https://github.com/Nassim-Asrir/ZDI-24-020/tree/main

lcfr-eth avatar Apr 10 '24 14:04 lcfr-eth

This is CVE-2023-6546 and this repo is sus.

this not CVE 2023 6546

Trigger looks the same calling GSMIOC_SETCONF with a dangling tty reference.

also interesting you happened to find/use the same KASLR leak that the author of CVE-2023-6546 which was unknown publicly previous to his exploit? (XEN_NOTE)

https://github.com/Nassim-Asrir/ZDI-24-020/tree/main yes but race condition in gsm dlci config

YuriiCrimson avatar Apr 10 '24 14:04 YuriiCrimson

And now i leaked another exploit

YuriiCrimson avatar Apr 10 '24 14:04 YuriiCrimson

Is that line discipline a module and can be blacklisted?

ecki avatar Apr 15 '24 06:04 ecki

Is that line discipline a module and can be blacklisted?

Yes, you can alias tty-ldisc-21 off

What I also found is that sysctl dev.tty.ldisc_autoload=0 looks like a good general hardening method in this case.

ecki avatar Apr 15 '24 09:04 ecki

i think it is done

YuriiCrimson avatar Apr 18 '24 08:04 YuriiCrimson