CVE-2024-36056
📋 TL;DR
This vulnerability in Marvin Test HW.exe allows unprivileged user-mode processes to map physical memory through a specific IOCTL in the Hw64.sys driver, enabling privilege escalation to SYSTEM level. It affects users of Marvin Test HW.exe versions before 5.0.5.0 on Windows systems where the driver is loaded.
💻 Affected Systems
- Marvin Test HW.exe
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full SYSTEM privileges on the target system, enabling complete compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Local privilege escalation from a limited user account to SYSTEM, allowing installation of malware, credential dumping, and bypassing security controls.
If Mitigated
Limited impact if proper access controls prevent unprivileged users from executing code or if the driver isn't loaded.
🎯 Exploit Status
Exploitation requires local access and ability to send IOCTL to the driver, but the technique is well-documented for similar driver vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.5.0
Vendor Advisory: https://www.marvintest.com/KnowledgeBase/KBArticle.aspx?ID=362
Restart Required: Yes
Instructions:
1. Download Marvin Test HW.exe version 5.0.5.0 or later from vendor website. 2. Install the update following vendor instructions. 3. Restart the system to ensure the updated driver loads.
🔧 Temporary Workarounds
Disable or remove Hw64.sys driver
windowsPrevent the vulnerable driver from loading by disabling or removing it
sc stop Hw64
sc delete Hw64
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Hw64" /f
Restrict driver access permissions
windowsModify driver object permissions to prevent unprivileged access
icacls "C:\Windows\System32\drivers\Hw64.sys" /deny *S-1-1-0:(RX)
🧯 If You Can't Patch
- Implement strict access controls to prevent unprivileged users from executing code on affected systems
- Monitor for suspicious driver interactions and IOCTL calls to Hw64.sys
🔍 How to Verify
Check if Vulnerable:
Check Marvin Test HW.exe version (should be < 5.0.5.0) and verify Hw64.sys driver is present in system32\driversCheck Version:
wmic datafile where name="C:\\Program Files\\Marvin Test\\HW.exe" get versionVerify Fix Applied:
Verify Marvin Test HW.exe version is 5.0.5.0 or higher and check driver timestamp📡 Detection & Monitoring
Log Indicators:
- Event ID 4697: Service installation for Hw64
- Driver load events for Hw64.sys
- Process creation events for Marvin Test HW.exe
Network Indicators:
- N/A - Local exploitation only
SIEM Query:
DeviceProcessEvents | where FileName contains "HW.exe" | where FolderPath contains "Marvin Test" | where Version < "5.0.5.0"