The 2021 Pwnie Nominee For Best Privilege Escalation Bug

New old bugs in Linux kernel

Researcher Name: Jeffball

Link: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html

CVE: CVE-2021-27363 CVE-2021-27364 CVE-2021-27365

An RDMA kernel module can be loaded for iSCSI by an unprivileged user. The module returns a kernel pointer as a handle, which allows bypassing KASLR. A sprintf results in a buffer overflow in the heap, allowing us to overwrite an ib_iser transport struct. Heap grooming is done with POSIX message queues.

This bypasses KASLR, is not affected by SMEP, SMAP, and KPTI. The bugs were introduced into the mainline kernel in 2006 and are present and exploitable out of the box on many RedHat-based installations (all workstations, some servers).