Hacking & Security 

Researchers Find 34 Windows Drivers Vulnerable to Full Device Takeover

Posted By: Albin 0 Comment





Your ADS Here!

Nov 02, 2023NewsroomEndpoint Security / Malware

As many as 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers could be exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems.

“By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate [operating system] privileges,” Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, said.

The research expands on previous studies, such as ScrewedDrivers and POPKORN that utilized symbolic execution for automating the discovery of vulnerable drivers. It specifically focuses on drivers that contain firmware access through port I/O and memory-mapped I/O.

The names of some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).

Of the 34 drivers, six allow kernel memory access that can be abused to elevate privilege and defeat security solutions. Twelve of the drivers could be exploited to subvert security mechanisms like kernel address space layout randomization (KASLR).

Seven of the drivers, including Intel’s stdcdrv64.sys, can be utilized to erase firmware in the SPI flash memory, rendering the system unbootable. Intel has since issued a fix for the problem.

VMware said it also identified WDF drivers such as WDTKernel.sys and H2OFFT64.sys that are not vulnerable in terms of access control, but can be trivially weaponized by privileged threat actors to pull off what’s called a Bring Your Own Vulnerable Driver (BYOVD) attack.

The technique has been employed by various adversaries, including the North Korea-linked Lazarus Group, as a way to gain elevated privileges and disable security software running on compromised endpoints so as to evade detection.

“The current scope of the APIs/instructions targeted by the [IDAPython script for automating static code analysis of x64 vulnerable drivers] is narrow and only limited to firmware access,” Haruyama said.

“However, it is easy to extend the code to cover other attack vectors (e.g. terminating arbitrary processes).”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

You May Also Like

Pakistan-based Transparent Tribe Hackers Targeting Indian Educational Institutions

Albin 0

The Pentagon’s Hand-Me-Downs Helped Militarize Police. Here’s How

Albin 4

Experts Uncover How Cybercriminals Could Exploit Microsoft Entra ID for Elevated Privilege

Albin 0

Leave a Reply

Your email address will not be published. Required fields are marked *


Unique Visitors
» 2,858 Today
» 30,519 Yesterday
» 91,722 This Week
» 33,377 This Month
» 3,673,522 This Year
» 19,908,617 Total (since 2019-12-11)
» Record: 205,757 (2023-08-13)
Counter by DarkWeb.Solutions