Windows11 - 34 Drivers Vulnerable To Complete Device Takeover.
Security researchers at VMware Carbon Black, found 34 Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers, to be fully exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems.
"By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate [operating system] privileges," Takahiro Haruyama said.
Their research expands on older studies, such as ScrewedDrivers and POPKORN, that utilized symbolic execution for automating the discovery of vulnerable drivers. It specifically focuses on drivers that contain firmware access through port I/O and memory-mapped I/O.
The names of some of the vulnerable drivers are AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).
Six of the drivers allow for kernel memory access, that can be abused to elevate privilege and defeat security solutions. Twelve of the other drivers could be exploited to subvert security mechanisms, like kernel address space layout randomization (KASLR).
Seven of the drivers, including Intel's stdcdrv64.sys, can be utilized to erase firmware in the SPI flash memory, rendering the system un-bootable.
Despite the fact INTEL has published a patch, many admins are by nature lazy and has still not updated their systems.
VMware themselves identified WDF drivers such as WDTKernel.sys and H2OFFT64.sys, that are not vulnerable to access control, but can be weaponized by privileged threat actors to pull off what's called a "Bring Your Own Vulnerable Driver" (BYOVD) attack.
This technique has been used by various adversaries, including the North Korean APT group "Lazarus".
So they can gain elevated privileges and disable security software running on compromised endpoints to evade detection.
"The current scope of the APIs/instructions targeted by the IDAPython script for automating static code analysis of x64 vulnerable drivers, is narrow and limited to firmware access,".