CVE-2015-2291
Intel iqvw64e, arbitrary read/write via IOCTL in Intel Ethernet diagnostics driver
Summary
| Field | Value |
|---|---|
| Driver | iqvw64e.sys |
| Vendor | Intel |
| Vulnerability Class | Arbitrary R/W / IOCTL Access Control |
| Abused Version | 1.03.0.7 and earlier |
| Status | Blocklisted — included in Microsoft Vulnerable Driver Blocklist |
| Exploited ITW | Yes |
The Story
Disclosed in 2015 via exploit-db entry #36392, iqvw64e.sys is one of the earliest documented BYOVD cases and one of the most enduring. The driver is Intel's kernel component for the iQVW64 Ethernet diagnostics utility, used for low-level NIC testing and configuration. It provides IOCTLs for arbitrary physical and virtual memory access, MSR read/write, and control register reads, all without any access control checks on the caller. The device object is accessible to any authenticated user.
Despite being well-known for over a decade and included in the Vulnerable Driver Blocklist, iqvw64e.sys continues to appear in the wild. The sheer number of existing signed copies means that attackers can still find and deploy it. It was integrated into KDU as an exploitation provider, making it available through the KDU framework for automated exploitation.
BYOVD Context
- Driver signing: Authenticode-signed by Intel Corporation with valid certificate
- Vulnerable Driver Blocklist: Included in Microsoft's recommended driver block rules
- HVCI behavior: Blocked on HVCI-enabled systems via the blocklist
- KDU integration: Integrated as a KDU provider
- LOLDrivers: Listed at loldrivers.io
Affected IOCTLs
- Arbitrary physical memory read/write
- Arbitrary virtual memory read/write
- MSR read/write
- CR (Control Register) read
How It Gets Exploited
The driver provides direct R/W primitives with no exploitation complexity at all. An attacker loads the signed driver, opens a handle to the device object, and uses the arbitrary read/write IOCTLs to directly access kernel structures. A token swap for SYSTEM escalation requires no heap spray, no race condition, no information leak. The exploit-db entry #36392 provides a complete working exploit that has served as a template for over a decade.
Multiple threat actors across different campaigns have used this driver. Its longevity is a reminder that BYOVD drivers never truly go away; once a signed binary exists, it can be deployed indefinitely on systems that do not enforce the blocklist.
Detection
YARA Rule
rule CVE_2015_2291_iqvw64e {
meta:
description = "Detects Intel iqvw64e.sys vulnerable driver"
cve = "CVE-2015-2291"
author = "KernelSight"
severity = "critical"
strings:
$mz = { 4D 5A }
$driver_name = "iqvw64e" wide ascii nocase
$intel = "Intel" wide ascii
$iqvw = "iQVW" ascii
condition:
$mz at 0 and ($driver_name or $iqvw) and $intel
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of iqvw64e.sys |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Service creation for iqvw64e.sys |
| Sysmon | Event ID 6 — Driver loaded | Captures driver hash and signature |
| Microsoft-Windows-Kernel-Process | Process token modification | Post-exploitation token swap |
Behavioral Indicators
- Loading of
iqvw64e.sysfrom a path unrelated to Intel network diagnostics tools - Service creation for Intel diagnostics driver by a non-Intel process
- Kernel memory read/write IOCTL patterns from non-diagnostic processes
- Privilege escalation following iqvw64e.sys interaction
Broader Significance
CVE-2015-2291 is the BYOVD archetype. It established the pattern that all subsequent vendor utility driver exploits follow: find a legitimately signed driver with unrestricted kernel access IOCTLs, bring it to the target, load it, and use its own functionality for privilege escalation. The driver's persistence in the wild, over a decade after disclosure, demonstrates that the BYOVD problem is fundamentally about the Windows driver signing model: once a driver is signed, it remains exploitable forever on systems without active blocklist enforcement.