Sunday, August 11th 2019
Drivers from Over 40 Manufacturers Including Intel, NVIDIA, AMD Vulnerable to Privilege Escalation Malware Attacks
Cybersecurity research firm Eclypsium published a report titled "Screwed Drivers," chronicling a critical flaw in the design of modern device driver software from over 40 hardware manufacturers, which allows malware to gain privilege from Ring 3 to Ring 0 (unrestricted hardware access). The long list of manufacturers publishing drivers that are fully signed and approved by Microsoft under its WHQL program, includes big names such as Intel, AMD, NVIDIA, AMI, Phoenix, ASUS, Toshiba, SuperMicro, GIGABYTE, MSI, and EVGA. Many of the latter few names are motherboard manufacturers who design hardware monitoring and overclocking applications that install kernel-mode drivers into Windows for Ring-0 hardware-access.
As part of its study, Eclypsium chronicles three classes of privilege-escalation attacks exploiting device drivers, RWEverything, LoJax (first UEFI malware), SlingShot. At the heart of these are the exploitation of the way Windows continues to work with drivers with faulty, obsolete, or expired signing certificates. Eclypsium hasn't gone into the nuts-and-bolts of each issue, but has briefly defined the three in a DEF CON presentation. The firm is working by several of the listed manufacturers on mitigations and patches, and is under embargo to put out a whitepaper. RWEverything is introduced by Eclypsium as a utility to access all hardware interfaces via software. It works in user-space, but with a one-time installed signed RWDrv.sys kernel-mode driver, acts as a conduit for malware to gain Ring-0 access to your machine. LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash. Slingshot is an APT with its own malicious driver that exploits other drivers with read/write MSR to bypass driver signing enforcement to install a rootkit.
Source:
Eclypsium
As part of its study, Eclypsium chronicles three classes of privilege-escalation attacks exploiting device drivers, RWEverything, LoJax (first UEFI malware), SlingShot. At the heart of these are the exploitation of the way Windows continues to work with drivers with faulty, obsolete, or expired signing certificates. Eclypsium hasn't gone into the nuts-and-bolts of each issue, but has briefly defined the three in a DEF CON presentation. The firm is working by several of the listed manufacturers on mitigations and patches, and is under embargo to put out a whitepaper. RWEverything is introduced by Eclypsium as a utility to access all hardware interfaces via software. It works in user-space, but with a one-time installed signed RWDrv.sys kernel-mode driver, acts as a conduit for malware to gain Ring-0 access to your machine. LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash. Slingshot is an APT with its own malicious driver that exploits other drivers with read/write MSR to bypass driver signing enforcement to install a rootkit.
43 Comments on Drivers from Over 40 Manufacturers Including Intel, NVIDIA, AMD Vulnerable to Privilege Escalation Malware Attacks
Speaking of NVIDIA Windows drivers: they fixed a large number of vulnerabilities in their latest release which I'd recommend everyone have updated to already.
Smartcom
In all seriousness, anything that runs with elevated privileges at any point could theoretically be a vector for attack, even in Linux. The difference is how drivers in Linux are delivered versus on Windows.
Problem is being solved... next! :)
For all we know, it could have been used repeatedly without anyone figuring out this was the cause. Now that it's known, developers involved can figure out ways to patch it, but before ... your guess is as good as mine.
When companies are victim of such breaches, they don't publish how they were attacked, do they?
eclypsium.com/wp-content/uploads/2019/08/EXTERNAL-Get-off-the-kernel-if-you-cant-drive-DEFCON27.pdf
Drivers with obvious priviledge escalation issues should not be signed either.
More often than not they are though, that is only half the issue though. There are aparently priviledge escalation means via signed drivers to bypass driver signing entirely.
tl;dr: The entire system is a lousy, broken mess, and it mostly originates in Microsoft policy.Depends on your definition of "Major."
I've seen it used.
The biggest lesson from this is even nonadmin code run on your machine is now very dangerous. Honestly, you should always think this way and only run trusted code, but reality makes that hard.
General pubic may have been a target in the meanwhile in order for the hackers to "hone the hack" and, most likely, those affected individuals were never able to figure out how they got attacked.
I know, because I just failed to go through this wringer attempting to sign the open source driver for vjoy. I was refused due to not being a full business license grade business.
google "R-T-B vjoy 1903" and you can see my proof.
The weak points in this otherwise strong system is next to no code inspection and a total lack of use of cert revocation.The thing is that unprivileged accesses can be escalated. Thus your system would do nothing for this issue.
WHQL always was, and always will be, a meaningless automated test with no added benefits.
Edit: RwDrv.sys is not signed by Mircosoft: