CVE-2024-36054

CVE-2024-36054 is a high-severity vulnerability in the Marvin Test HW driver (Hw64.sys) that allows unprivileged user-mode processes to arbitrarily read kernel memory. The issue affects all versions up to 5.0.4.0 and stems from improper handling of IOCTL requests 0x9c4064b8 (via MmMapIoSpace) and 0x9c406490 (via ZwMapViewOfSection), which map physical memory to user space without proper access control [1].

To exploit the vulnerability, an attacker requires only local access and the ability to execute arbitrary user-mode code. No elevated privileges are needed, as the driver exposes these IOCTLs to any unprivileged process. By sending crafted IOCTL requests, the attacker can map arbitrary kernel memory into their process address space, enabling them to read sensitive data such as system tokens or process structures.

Successful exploitation grants the attacker the ability to read all kernel memory, which can subsequently be used to elevate privileges to SYSTEM. This could allow complete control over the affected system, including installation of persistent malware, data theft, or further lateral movement within a network.

The vendor, Marvin Test Solutions, has addressed the vulnerability in version 5.0.5.0 of the HW driver [1]. Users are strongly advised to update to the latest driver package available from the official downloads page [2]. As of the publication date, no active exploitation has been reported.