PhysMem(e): When Kernel Drivers Peek into Memory CVE-2024-41498
A vulnerability identified as CVE-2024-41498 in the Windows IOMap64.sys driver, discovered by RevEng.AI researchers, allows for reading and writing the entire physical memory (RAM) of a system. This vulnerability is significant because kernel drivers, which operate at a low level within the operating system, can be exploited to gain kernel privileges through mechanisms like Bring Your Own Vulnerable Driver (BYOVD) exploit chains. The IOMap64.sys driver, signed by ASUS, was analyzed and found to contain software faults that could be exploited maliciously. The analysis included a deep dive into the driver's code, revealing how it handles I/O request packets (IRPs) and device control operations, which could be manipulated to map and access physical memory addresses arbitrarily. A proof of concept (PoC) was developed to demonstrate the exploitability of this vulnerability, although initial attempts led to a Blue Screen Of Death (BSOD) due to debugging issues that were eventually bypassed. The post concludes with indicators of compromise (IOCs) and a YARA rule to help detect the use of the vulnerable driver. This research underscores the importance of careful driver development and the potential security risks associated with even minor errors in low-level code. CVEs: CVE-2024-41498 [View Article](https://blog.reveng.ai/physmem-e-when-kernel-drivers-peek-into-memory/)