[ad_1]
As many as 34 distinctive weak Home windows Driver Mannequin (WDM) and Home windows Driver Frameworks (WDF) drivers could possibly be exploited by non-privileged risk actors to achieve full management of the units and execute arbitrary code on the underlying techniques.
“By exploiting the drivers, an attacker with out privilege might erase/alter firmware, and/or elevate [operating system] privileges,” Takahiro Haruyama, a senior risk researcher at VMware Carbon Black, stated.
The analysis expands on earlier research, comparable to ScrewedDrivers and POPKORN that utilized symbolic execution for automating the invention of weak drivers. It particularly focuses on drivers that comprise firmware entry via port I/O and memory-mapped I/O.
The names of a few of the weak drivers embrace AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).
Of the 34 drivers, six permit kernel reminiscence entry that may be abused to raise privilege and defeat safety options. Twelve of the drivers could possibly be exploited to subvert safety mechanisms like kernel handle house structure randomization (KASLR).
Seven of the drivers, together with Intel’s stdcdrv64.sys, may be utilized to erase firmware within the SPI flash reminiscence, rendering the system unbootable. Intel has since issued a repair for the issue.
VMware stated it additionally recognized WDF drivers comparable to WDTKernel.sys and H2OFFT64.sys that aren’t weak when it comes to entry management, however may be trivially weaponized by privileged risk actors to drag off what’s referred to as a Carry Your Personal Weak Driver (BYOVD) assault.
The approach has been employed by varied adversaries, together with the North Korea-linked Lazarus Group, as a technique to acquire elevated privileges and disable safety software program operating on compromised endpoints in order to evade detection.
“The present scope of the APIs/directions focused by the [IDAPython script for automating static code analysis of x64 vulnerable drivers] is slim and solely restricted to firmware entry,” Haruyama stated.
“Nevertheless, it’s straightforward to increase the code to cowl different assault vectors (e.g. terminating arbitrary processes).”
[ad_2]
