HomeCyber BalkansResearchers Find 34 Windows Drivers Vulnerable to Full Device Takeover

Researchers Find 34 Windows Drivers Vulnerable to Full Device Takeover

Published on

spot_img


 

Windows Drivers 

As many as 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF)
drivers could be exploited by non-privileged threat actors to gain full
control of the devices and execute arbitrary code on the underlying
systems.

“By exploiting the drivers, an attacker without privilege may
erase/alter firmware, and/or elevate [operating system] privileges,”
Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, said.

The research expands on previous studies, such as ScrewedDrivers and POPKORN that utilized symbolic execution
for automating the discovery of vulnerable drivers. It specifically
focuses on drivers that contain firmware access through port I/O and
memory-mapped I/O.

The names of some of the vulnerable drivers include AODDriver.sys,
ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys,
kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).

 https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh77ig6r2Rbp-xiWHykIzZ0HC67VeEyjh1HFLmKYqDg0603XjFkGI94wc3EoYjtku-Kv1BJfsmgs-ghhTuUj3d-LSFuUwlJXHe6S4JLtOlw2kQMFIlZqSAMmVgFjzhcBjXeuYcS0d1IkWG3qvGszCdSdkubOOdaS3cuWykxgZpoo0dfa7ha9MnlyBF0OXe0/s728-rw-ft-e30/hacking.jpg

Of the 34 drivers, six allow kernel memory access that can be abused
to elevate privilege and defeat security solutions. Twelve of the
drivers could be exploited to subvert security mechanisms like kernel address space layout randomization (KASLR).

Seven of the drivers, including Intel’s stdcdrv64.sys, can be utilized to erase firmware in the SPI flash memory, rendering the system unbootable. Intel has since issued a fix for the problem.

VMware said it also identified WDF drivers such as WDTKernel.sys and
H2OFFT64.sys that are not vulnerable in terms of access control, but can
be trivially weaponized by privileged threat actors to pull off what’s
called a Bring Your Own Vulnerable Driver (BYOVD) attack.

The technique has been employed by various adversaries, including the North Korea-linked Lazarus Group, as a way to gain elevated privileges and disable security software running on compromised endpoints so as to evade detection.

“The current scope of the APIs/instructions targeted by the [IDAPython script for automating static code analysis of x64 vulnerable drivers] is narrow and only limited to firmware access,” Haruyama said.

“However, it is easy to extend the code to cover other attack vectors (e.g. terminating arbitrary processes).”

 

 Reference link

A.K



Source link

Latest articles

Kangana Ranaut claims that prominent film personalities use the dark web to hack people’s WhatsApp, may expose several well-known figures

In a shocking revelation, Bollywood actress Kangana Ranaut has alleged that 'popular film personalities'...

CISA RRAP Launched to Enhance Infrastructure Security

The Regional Resiliency Assessment Program (RRAP), a collaborative effort between the Cybersecurity and Infrastructure...

Law enforcement action disrupts LockBit ransomware operation. Health care cyberattack disrupts prescription processing.

Operation Cronos, a law enforcement initiative, has successfully disrupted the activities of the LockBit...

Russian Ministry Software Infected with North Korean KONNI Malware

A recent cybersecurity revelation has shed light on the KONNI malware, a tool associated...

More like this

Kangana Ranaut claims that prominent film personalities use the dark web to hack people’s WhatsApp, may expose several well-known figures

In a shocking revelation, Bollywood actress Kangana Ranaut has alleged that 'popular film personalities'...

CISA RRAP Launched to Enhance Infrastructure Security

The Regional Resiliency Assessment Program (RRAP), a collaborative effort between the Cybersecurity and Infrastructure...

Law enforcement action disrupts LockBit ransomware operation. Health care cyberattack disrupts prescription processing.

Operation Cronos, a law enforcement initiative, has successfully disrupted the activities of the LockBit...
en_USEnglish