- Joined
- Oct 9, 2007
- Messages
- 47,235 (7.55/day)
- Location
- Hyderabad, India
System Name | RBMK-1000 |
---|---|
Processor | AMD Ryzen 7 5700G |
Motherboard | ASUS ROG Strix B450-E Gaming |
Cooling | DeepCool Gammax L240 V2 |
Memory | 2x 8GB G.Skill Sniper X |
Video Card(s) | Palit GeForce RTX 2080 SUPER GameRock |
Storage | Western Digital Black NVMe 512GB |
Display(s) | BenQ 1440p 60 Hz 27-inch |
Case | Corsair Carbide 100R |
Audio Device(s) | ASUS SupremeFX S1220A |
Power Supply | Cooler Master MWE Gold 650W |
Mouse | ASUS ROG Strix Impact |
Keyboard | Gamdias Hermes E2 |
Software | Windows 11 Pro |
Cybersecurity research firm Eclypsium published a report titled "Screwed Drivers," chronicling a critical flaw in the design of modern device driver software from over 40 hardware manufacturers, which allows malware to gain privilege from Ring 3 to Ring 0 (unrestricted hardware access). The long list of manufacturers publishing drivers that are fully signed and approved by Microsoft under its WHQL program, includes big names such as Intel, AMD, NVIDIA, AMI, Phoenix, ASUS, Toshiba, SuperMicro, GIGABYTE, MSI, and EVGA. Many of the latter few names are motherboard manufacturers who design hardware monitoring and overclocking applications that install kernel-mode drivers into Windows for Ring-0 hardware-access.
As part of its study, Eclypsium chronicles three classes of privilege-escalation attacks exploiting device drivers, RWEverything, LoJax (first UEFI malware), SlingShot. At the heart of these are the exploitation of the way Windows continues to work with drivers with faulty, obsolete, or expired signing certificates. Eclypsium hasn't gone into the nuts-and-bolts of each issue, but has briefly defined the three in a DEF CON presentation. The firm is working by several of the listed manufacturers on mitigations and patches, and is under embargo to put out a whitepaper. RWEverything is introduced by Eclypsium as a utility to access all hardware interfaces via software. It works in user-space, but with a one-time installed signed RWDrv.sys kernel-mode driver, acts as a conduit for malware to gain Ring-0 access to your machine. LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash. Slingshot is an APT with its own malicious driver that exploits other drivers with read/write MSR to bypass driver signing enforcement to install a rootkit.
View at TechPowerUp Main Site
As part of its study, Eclypsium chronicles three classes of privilege-escalation attacks exploiting device drivers, RWEverything, LoJax (first UEFI malware), SlingShot. At the heart of these are the exploitation of the way Windows continues to work with drivers with faulty, obsolete, or expired signing certificates. Eclypsium hasn't gone into the nuts-and-bolts of each issue, but has briefly defined the three in a DEF CON presentation. The firm is working by several of the listed manufacturers on mitigations and patches, and is under embargo to put out a whitepaper. RWEverything is introduced by Eclypsium as a utility to access all hardware interfaces via software. It works in user-space, but with a one-time installed signed RWDrv.sys kernel-mode driver, acts as a conduit for malware to gain Ring-0 access to your machine. LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash. Slingshot is an APT with its own malicious driver that exploits other drivers with read/write MSR to bypass driver signing enforcement to install a rootkit.
View at TechPowerUp Main Site