{"uuid": "e42c834b-9a9c-45c8-a091-8a06f745a4d7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-6546", "type": "published-proof-of-concept", "source": "https://t.me/linkersec/239", "content": "Linux Kernel GSM Multiplexing Race Condition Local Privilege Escalation Vulnerability (CVE-2023-6546)\n\nAn article by Nassim Asrir about exploiting a race condition that leads to a kmalloc-1k use-after-free in the n_gsm TTY line discipline module.\n\nIn the exploit, the researcher overwrote the freed object, gained an arbitrary function call with a controlled argument primitive, and escalated privileges by spawning a userspace process via run_cmd.\n\nThe exploit bypasses KASLR by leaking the kernel address from world-readable /sys/kernel/notes. This is a separate vulnerability that still affects up-to-date kernels that enable CONFIG_XEN_PV.\n\nTo bypass SMAP, the author used a novel technique of filling the kernfs_pr_cont_buf global variable with controlled data from userspace. The data is supplied as the path to a cgroup filter created via iptables, whose use requires unprivileged user namespaces.\n\nThe repository with the exploit also contains a set of scripts for automatically extracting symbol offsets for Ubuntu, CentOS, and RHEL kernels.", "creation_timestamp": "2024-01-22T19:10:41.000000Z"}