As several as 34 special susceptible Windows Driver Product (WDM) and Windows Driver Frameworks (WDF) motorists could be exploited by non-privileged menace actors to get full control of the gadgets and execute arbitrary code on the fundamental units.
“By exploiting the drivers, an attacker devoid of privilege could erase/alter firmware, and/or elevate [operating system] privileges,” Takahiro Haruyama, a senior risk researcher at VMware Carbon Black, mentioned.
The analysis expands on prior scientific tests, such as ScrewedDrivers and POPKORN that used symbolic execution for automating the discovery of susceptible drivers. It specially focuses on drivers that incorporate firmware access via port I/O and memory-mapped I/O.
The names of some of the vulnerable motorists incorporate AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).
Of the 34 motorists, six enable kernel memory obtain that can be abused to elevate privilege and defeat security remedies. Twelve of the drivers could be exploited to subvert security mechanisms like kernel tackle area layout randomization (KASLR).
7 of the motorists, like Intel’s stdcdrv64.sys, can be used to erase firmware in the SPI flash memory, rendering the technique unbootable. Intel has considering the fact that issued a deal with for the difficulty.
VMware said it also determined WDF drivers such as WDTKernel.sys and H2OFFT64.sys that are not susceptible in phrases of entry handle, but can be trivially weaponized by privileged threat actors to pull off what is named a Convey Your Very own Susceptible Driver (BYOVD) attack.
The system has been utilized by different adversaries, like the North Korea-joined Lazarus Team, as a way to get elevated privileges and disable security software program working on compromised endpoints so as to evade detection.
“The current scope of the APIs/guidelines specific by the [IDAPython script for automating static code analysis of x64 vulnerable drivers] is slender and only limited to firmware obtain,” Haruyama explained.
“Nonetheless, it is effortless to lengthen the code to deal with other attack vectors (e.g. terminating arbitrary procedures).”
Uncovered this short article attention-grabbing? Adhere to us on Twitter and LinkedIn to examine a lot more distinctive content material we publish.
Some parts of this article are sourced from:
thehackernews.com
FIRST Announces CVSS 4.0 – New Vulnerability Scoring System