[ad_1]
As many as 34 distinctive weak Home windows Driver Mannequin (WDM) and Home windows Driver Frameworks (WDF) drivers may very well be exploited by non-privileged menace actors to realize full management of the gadgets and execute arbitrary code on the underlying programs.
“By exploiting the drivers, an attacker with out privilege might erase/alter firmware, and/or elevate [operating system] privileges,” Takahiro Haruyama, a senior menace researcher at VMware Carbon Black, mentioned.
The analysis expands on earlier research, akin to ScrewedDrivers and POPKORN that utilized symbolic execution for automating the invention of weak drivers. It particularly focuses on drivers that comprise firmware entry by port I/O and memory-mapped I/O.
The names of a number of the weak drivers embrace AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).
Of the 34 drivers, six enable kernel reminiscence entry that may be abused to raise privilege and defeat safety options. Twelve of the drivers may very well be exploited to subvert safety mechanisms like kernel handle area format randomization (KASLR).
Seven of the drivers, together with Intel’s stdcdrv64.sys, may be utilized to erase firmware within the SPI flash reminiscence, rendering the system unbootable. Intel has since issued a repair for the issue.
VMware mentioned it additionally recognized WDF drivers akin to WDTKernel.sys and H2OFFT64.sys that aren’t weak by way of entry management, however may be trivially weaponized by privileged menace actors to tug off what’s known as a Deliver Your Personal Susceptible Driver (BYOVD) assault.
The approach has been employed by varied adversaries, together with the North Korea-linked Lazarus Group, as a strategy to acquire elevated privileges and disable safety software program working on compromised endpoints in order to evade detection.
“The present scope of the APIs/directions focused by the [IDAPython script for automating static code analysis of x64 vulnerable drivers] is slim and solely restricted to firmware entry,” Haruyama mentioned.
“Nevertheless, it’s straightforward to increase the code to cowl different assault vectors (e.g. terminating arbitrary processes).”
[ad_2]