The 2016 Pwnie Nominee For Best Privilege Escalation Bug

Linux iovec overrun memory corruption (CVE-2015-1805)

Credit: RedHat, Solar Designer, Keen Security Lab of Tencent, @dosomder

This isn’t something that you see often. Solar Designer wrote:

Red Hat’s description includes the usual wording:

“A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.” I’d like to know how. “Crash the system” will do. Thanks.

… and then @idl3r, @returnsme, and @nwmonster) from the Keen Security Lab of Tencent showed him how. This spurred Google into releasing their first ever out-of-band patch to address the vulnerability. Then @dosomder finished the job with a complete rooting tool based on it. In what shouldn’t have been a surprise to anyone, Android malware started abusing this exploit in the wild. They just grow up so quickly these days…

Linux iovec overrun memory corruption 

(CVE-2015-1805)