PassMark Products Privilege Escalation Vulnerability via Arbitrary Memory Access

A vulnerability in the DirectIo64.sys kernel driver, present in PassMark BurnInTest v11.0 Build 1011, OSForensics v11.1 Build 1007, and PerformanceTest v11.1 Build 1004, allows low-privileged attackers to access arbitrary physical memory. This is achieved through a crafted IOCTL 0x8011E044 call, which exploits inadequate validation of user-controlled input to the ZwMapViewOfSection API, enabling unauthorized read access to sensitive kernel data and potential privilege escalation.

Impact

Exploitation of this vulnerability could lead to unauthorized access to kernel memory, allowing attackers to read sensitive kernel structures and bypass kernel address space layout randomization (KASLR). This memory access could facilitate further exploitation, such as executing code with ring-0 privileges.

Reproduction

The vulnerability can be reproduced by sending an IOCTL 0x8011E044 request to the DirectIo64.sys driver. This can be done using a user-mode application with low privileges, including those running at a Low Integrity Level. The request must include a SectionOffset parameter that specifies arbitrary physical memory offsets, taking advantage of the driver's lack of proper input validation.

Remediation

Users are advised to update to the latest version of the affected PassMark products, as this vulnerability has been patched.