Recently, researchers discovered that some Windows drivers contain vulnerabilities that are vulnerable to attack. Up to 34 Windows Driver Models ( WDM ) and Windows Driver Frameworks ( WDF ) contain vulnerabilities that can be exploited to gain full control of devices and execute arbitrary code on systems.
“By exploiting the driver, an unauthorized attacker can delete/change basic and/or advanced system programming,” said Takahiro Haruyama, threat researcher at VMware Carbon Black. executive ” .
This research builds on previous studies, such as ScrewedDrivers and POPKORN that used symbolic execution to automatically detect vulnerable drivers. It focuses on drivers that contain firmware access through I/O ports and memory-mapped I/O.
Names of some vulnerable Windows drivers include: AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL .sys (CVE) -2023-20598 , RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys and TdkLib64.sys ( CVE-2023-35841 ),
Of the 34 drivers, 6 allow access to kernel memory that can be abused to defeat security solutions. The 12 drivers can be exploited to circumvent security mechanisms such as kernel address space layout randomization ( KASLR ).
7 drivers, including Intel’s stdcdrv64.sys, can be used to erase artifacts in SPI flash memory , rendering the system unbootable. Currently, Intel has released a fix for this issue.
VMware said it also identified WDF drivers such as WDTKernel.sys and H2OFFT64.sys that are not vulnerable to permissions exploits, but can be exploited in the usual way to perform BYOVD – Bring Your Own attacks Vulnerable Driver. ( The attacker will send the victim a valid driver but containing security holes, usually via malicious email or phishing scams, for them to install themselves. From there, it will disable the programs security is installed on the victim’s device and runs with system privileges ).
This technique has been used by various adversaries, including the North Korea-linked Lazarus Group , as a way to gain elevated privileges and disable security software running on devices compromised terminal to avoid detection.
“The current scope of APIs/instructions targeted by the IDAPython script for automating static code analysis of x64 vulnerable drivers is very narrow and limited to access permissions,” said Haruyama. base program”.
“However, this scope is open to extending code execution through other attack vectors (e.g., terminating arbitrary processes).”
VMware Carbon Black’s research shows that there are a significant number of Windows Drivers that are vulnerable to exploitation and can be abused to gain full control of the device.
Researchers recommend users update their drivers to the latest version to minimize the risk of attacks.
