November 2, 2023 at 05:30AM
Researchers have discovered that up to 34 different Windows drivers could be exploited by threat actors without privileged access to gain control of devices and execute arbitrary code. Exploiting these drivers could allow attackers to erase or alter firmware and elevate privileges. The vulnerabilities have been identified in drivers including AODDriver.sys, ComputerZ.sys, dellbios.sys, and TdkLib64.sys. Some drivers enable kernel memory access, while others can subvert security mechanisms. The North Korea-linked Lazarus Group has previously utilized this technique to gain elevated privileges and disable security software.
Based on the meeting notes, there are several key takeaways:
1. There are as many as 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers that can be exploited by non-privileged threat actors.
2. Exploiting these drivers can allow attackers to gain full control of devices and execute arbitrary code on the underlying systems.
3. Some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).
4. Among the vulnerable drivers, six allow kernel memory access that can be abused to elevate privileges and defeat security solutions.
5. Twelve of the drivers can be exploited to subvert security mechanisms like kernel address space layout randomization (KASLR).
6. Seven drivers, including Intel’s stdcdrv64.sys, can be used to erase firmware in the SPI flash memory, rendering the system unbootable. Intel has issued a fix for this problem.
7. Certain WDF drivers, such as WDTKernel.sys and H2OFFT64.sys, are not vulnerable in terms of access control but can still be weaponized by privileged threat actors for a Bring Your Own Vulnerable Driver (BYOVD) attack.
8. The BYOVD attack technique has been employed by various adversaries, including the Lazarus Group, to gain elevated privileges and disable security software.
9. The IDAPython script used for automating static code analysis of x64 vulnerable drivers currently focuses on firmware access but can be extended to cover other attack vectors.
Please let me know if you need any further clarification or information.