As many as 34 distinctive weak Home windows Driver Mannequin (WDM) and Home windows Driver Frameworks (WDF) drivers could possibly be exploited by non-privileged menace actors to realize full management of the units and execute arbitrary code on the underlying programs.
“By exploiting the drivers, an attacker with out privilege might erase/alter firmware, and/or elevate [operating system] privileges,” Takahiro Haruyama, a senior menace researcher at VMware Carbon Black, stated.
The analysis expands on earlier research, similar to ScrewedDrivers and POPKORN that utilized symbolic execution for automating the invention of weak drivers. It particularly focuses on drivers that include firmware entry by way of port I/O and memory-mapped I/O.
The names of a number of the weak drivers embody AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).
Of the 34 drivers, six enable kernel reminiscence entry that may be abused to raise privilege and defeat safety options. Twelve of the drivers could possibly be exploited to subvert safety mechanisms like kernel handle area structure randomization (KASLR).
Seven of the drivers, together with Intel’s stdcdrv64.sys, will be utilized to erase firmware within the SPI flash reminiscence, rendering the system unbootable. Intel has since issued a repair for the issue.
VMware stated it additionally recognized WDF drivers similar to WDTKernel.sys and H2OFFT64.sys that aren’t weak by way of entry management, however will be trivially weaponized by privileged menace actors to tug off what’s known as a Convey Your Personal Weak Driver (BYOVD) assault.
The method has been employed by numerous adversaries, together with the North Korea-linked Lazarus Group, as a approach to achieve elevated privileges and disable safety software program operating on compromised endpoints in order to evade detection.
“The present scope of the APIs/directions focused by the [IDAPython script for automating static code analysis of x64 vulnerable drivers] is slender and solely restricted to firmware entry,” Haruyama stated.
“Nevertheless, it’s simple to increase the code to cowl different assault vectors (e.g. terminating arbitrary processes).”