CVE-2023-6546 PoC Exploit: A Gateway to Linux System Takeover

A cybersecurity researcher, Nassim Asrir has released the details, and a proof-of-concept (PoC) exploit for a high-severity vulnerability, CVE-2023-6546, that has existed in the Linux kernel since kernel version before 6.5-rc7. This vulnerability has been rated 8.8 on the Common Vulnerability Scoring System (CVSS), indicating its critical nature.

At the core of this vulnerability is a race condition found in the GSM 0710 TTY multiplexor of the Linux kernel. This critical flaw arises when two threads concurrently execute the GSMIOC_SETCONF ioctl on the same TTY file descriptor. A use-after-free (UAF) problem on a struct gsm_dlci during the restart of the GSM mux, paving the way for privilege escalation and kernel-level code execution.

This kernel flaw is not just a theoretical concern. It poses a tangible threat, enabling a local unprivileged user to escalate privileges and execute code in the kernel’s context. The exploitation of this vulnerability can lead to a complete system takeover, giving attackers the power to perform any action on the vulnerable system.

The bug is deeply rooted in the n_gsm tty line discipline, a component designed for GSM modems. A significant change in the Linux kernel version 4.13, involving the timer interfaces and the introduction of the gsm_disconnect function, inadvertently set the stage for this vulnerability. This restructuring in the mux restart code is where the vulnerability finds its origin.

Nassim Asrir has not only discovered CVE-2023-6546 but also released a proof-of-concept (PoC) exploit. This exploit is a binary executable designed to trigger the race condition and spawn a root shell, demonstrating the practical risk posed by this vulnerability. It specifically targets multi-core systems with Symmetric Multiprocessing (SMP) enabled, highlighting the need for systems running on Ubuntu 18.04+20.04 LTS, Centos 8, and RHEL 8 to be particularly vigilant.