Sunday, March 3, 2024

Researchers Discover 34 Home windows Drivers Weak to Full Gadget Takeover

Nov 02, 2023NewsroomEndpoint Safety / Malware

Windows Drivers

As many as 34 distinctive weak Home windows Driver Mannequin (WDM) and Home windows Driver Frameworks (WDF) drivers could possibly be exploited by non-privileged risk actors to achieve full management of the units and execute arbitrary code on the underlying techniques.

“By exploiting the drivers, an attacker with out privilege might erase/alter firmware, and/or elevate [operating system] privileges,” Takahiro Haruyama, a senior risk researcher at VMware Carbon Black, stated.


The analysis expands on earlier research, comparable to ScrewedDrivers and POPKORN that utilized symbolic execution for automating the invention of weak drivers. It particularly focuses on drivers that comprise firmware entry via port I/O and memory-mapped I/O.

The names of a few of the weak drivers embrace AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).

Device Takeover

Of the 34 drivers, six permit kernel reminiscence entry that may be abused to raise privilege and defeat safety options. Twelve of the drivers could possibly be exploited to subvert safety mechanisms like kernel handle house structure randomization (KASLR).

Seven of the drivers, together with Intel’s stdcdrv64.sys, may be utilized to erase firmware within the SPI flash reminiscence, rendering the system unbootable. Intel has since issued a repair for the issue.

VMware stated it additionally recognized WDF drivers comparable to WDTKernel.sys and H2OFFT64.sys that aren’t weak when it comes to entry management, however may be trivially weaponized by privileged risk actors to drag off what’s referred to as a Carry Your Personal Weak Driver (BYOVD) assault.


The approach has been employed by varied adversaries, together with the North Korea-linked Lazarus Group, as a technique to acquire elevated privileges and disable safety software program operating on compromised endpoints in order to evade detection.

“The present scope of the APIs/directions focused by the [IDAPython script for automating static code analysis of x64 vulnerable drivers] is slim and solely restricted to firmware entry,” Haruyama stated.

“Nevertheless, it’s straightforward to increase the code to cowl different assault vectors (e.g. terminating arbitrary processes).”

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles