CVE-2020-15481: 
PassMark PerformanceTest vulnerability analysis and mitigation

An issue was discovered in PassMark BurnInTest v9.1 Build 1008, OSForensics v7.1 Build 1012, and PerformanceTest v10.0 Build 1008. The kernel driver (DirectIo32.sys and DirectIo64.sys) exposes IOCTL functionality that allows low-privilege users to map arbitrary physical memory into the address space of the calling process. This vulnerability was discovered in June 2020 and fixed in September 2020 (ESET Disclosure).

The vulnerability exists in the physical memory mapping functionality exposed via IOCTLMAPPHYSICAL_MEMORY (0x80112044). The implementation allows unprivileged usermode programs to read and write arbitrary physical memory without any additional checks. The driver implements this functionality through two methods: primarily using ZwMapViewOfSection API, and as a backup approach, through MmMapIoSpace and MmMapLockedPages kernel APIs (ESET Disclosure).

The impact of this vulnerability is rated as High, as it allows attackers to scan memory for critical structures and code in the kernel and patch them, enabling direct manipulation of kernel objects or achieving kernel code execution. This could lead to arbitrary Ring-0 code execution and escalation of privileges (ESET Disclosure).

The vulnerability was fixed in the September 2020 updates of the vendor's products. Users should update to BurnInTest v9.2, PerformanceTest v10.0 Build 1009, or OSForensics v8.0 to receive the patched version of the driver (PassMark History, ESET Disclosure).