As many as 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers could be exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems.
“By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate [operating system] privileges,” Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, said.
The research expands on previous studies, such as ScrewedDrivers and POPKORN that utilized symbolic execution for automating the discovery of vulnerable drivers. It specifically focuses on drivers that contain firmware access through port I/O and memory-mapped I/O.
The names of some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).
Of the 34 drivers, six allow kernel memory access that can be abused to elevate privilege and defeat security solutions. Twelve of the drivers could be exploited to subvert security mechanisms like kernel address space layout randomization (KASLR).
Seven of the drivers, including Intel’s stdcdrv64.sys, can be utilized to erase firmware in the SPI flash memory, rendering the system unbootable. Intel has since issued a fix for the problem.
VMware said it also identified WDF drivers such as WDTKernel.sys and H2OFFT64.sys that are not vulnerable in terms of access control, but can be trivially weaponized by privileged threat actors to pull off what’s called a Bring Your Own Vulnerable Driver (BYOVD) attack.
The technique has been employed by various adversaries, including the North Korea-linked Lazarus Group, as a way to gain elevated privileges and disable security software running on compromised endpoints so as to evade detection.
“The current scope of the APIs/instructions targeted by the [IDAPython script for automating static code analysis of x64 vulnerable drivers] is narrow and only limited to firmware access,” Haruyama said.
“However, it is easy to extend the code to cover other attack vectors (e.g. terminating arbitrary processes).”