CVE-2021-41285

Vulnerability

CVE-2021-41285 affects the Ballistix MOD Utility version 2.0.2.5 and earlier. The vulnerability resides in the MODAPI.sys driver component, which is a copy of the open-source WinRing0x64.sys driver. The driver exposes multiple IOCTL handlers that allow low-privileged users to call the MmMapIoSpace function, mapping physical memory into a virtual address space. Additionally, it permits reading/writing Model-Specific Registers (MSRs) via __readmsr/__writemsr and IO port access [1][2]. No specific configuration beyond having the driver installed is required for the code path to be reachable.

Exploitation

An attacker with low-privileged user access on the target system can send a crafted IOCTL request to the MODAPI.sys driver. The exploit leverages the MapPhysicalMemory primitive to achieve a write-what-where condition, and the Write MSRs primitive for pointer overwrite. Public proof-of-concept code is available that demonstrates memory dumping and privilege escalation [2]. No additional user interaction is needed; the attack is performed from user land against the kernel driver.

Impact

Successful exploitation allows an attacker to escalate privileges from a low-privileged user to NT AUTHORITY\SYSTEM. The attacker can gain arbitrary read/write access to physical memory, enabling full control over the operating system, including process manipulation, data theft, and persistence [1].

Mitigation

The Ballistix MOD Utility version 2.0.2.5 is the last affected version; the vendor has not released a patch (the driver is derived from an open-source project with known vulnerabilities). Users are advised to uninstall the software or restrict access to the driver via a blocklist. The CVE is not listed in the known exploited vulnerabilities (KEV) catalog as of the publication date [1].