Drivers from Over 40 Manufacturers Including Intel, NVIDIA, AMD Vulnerable to Privilege Escalation Malware Attacks

[BoMbY]

No, you can sign drivers all you want: https://www.digicert.com/code-signing/driver-signing-certificates.htm

WHQL always was, and always will be, a meaningless automated test with no added benefits.

Edit: RwDrv.sys is not signed by Mircosoft:

 

[TheGuruStud]

Wrong. You need to go through WHQL before you can sign a kernel mode driver (the kind we are talking about). You furthermore need an EV-signing cert which requires you to run every signing by MS (as well as register your business with MS for blame reasons when something goes wrong).

I know, because I just failed to go through this wringer attempting to sign the open source driver for vjoy. I was refused due to not being a full business license grade business.

google "R-T-B vjoy 1903" and you can see my proof.

The weak points in this otherwise strong system is next to no code inspection and a total lack of use of cert revocation.

I mean... I can "sign" a driver and windows/applications believe it's legitimate. It runs in normal mode and security applications designed to to run only with signed drivers are happy.

Indeed, anyone can sign a driver in seconds for free.

 

[R-T-B]

No, you can sign drivers all you want: https://www.digicert.com/code-signing/driver-signing-certificates.htm

WHQL always was, and always will be, a meaningless automated test with no added benefits.

Yeah, you can PAY all you want. You cannot however be approved.

Google what I told you, or let me just tag our founder who knows @W1zzard. GPU-Z uses a signed kernel mode driver.

I mean... I can "sign" a driver and windows/applications believe it's legitimate. It runs in normal mode and security applications designed to to run only with signed drivers are happy.

Indeed, anyone can sign a driver in seconds for free.

Seconds? Seriously, nondevs need to get out of this discussion. No, that is not how it works and some of us actually do this for a living.

You may be able to get such a cert for apps, but not for drivers. Not at all. The issues are not in the ID-validation, but the code verification and the fact someone can use existing bad drivers to bypass it.

Example of how once admin is had (via another driver issue, like here), anything can be run/loaded unsigned:

TDL/README.md at master · hfiref0x/TDL

Driver loader for bypassing Windows x64 Driver Signature Enforcement - hfiref0x/TDL

github.com

 

[BoMbY]

Yeah, you can PAY all you want. You cannot however be approved.

Approved for what? You don't need anything from Microsoft. RwDrv.sys is not signed by Microsoft. Whoever made you believe this was 100% wrong.

 

[eidairaman1]

No, you can sign drivers all you want: https://www.digicert.com/code-signing/driver-signing-certificates.htm

WHQL always was, and always will be, a meaningless automated test with no added benefits.

Edit: RwDrv.sys is not signed by Mircosoft:

All readup

RwDrv.sys - Google Search

 

[R-T-B]

Approved for what? You don't need anything from Microsoft. RwDrv.sys is not signed by Microsoft. Whoever made you believe this was 100% wrong.

Did you read the article?

Did you google what I said?

Digicert is the approval agency for the cert (they issue it after you pass ID validation), you know the one you linked. You need to pass their validation. Looks like rwdrv is cross-signed by globalsign, and also subject to the older sha1 algorithm that is no longer allowed for new signatures.

Of course it is not signed by microsoft, it's signed by the applicant. It must be cross-signed by microsofts root cert agencies to be used in modern Windows though. The agencies that review these are supposedly monitored and subject to review from microsoft, but that's really kinda where things break down.

This used to be more lax but Microsoft tightened it a lot recently. And you can no longer apply under the old system. Or renew. The issue is the old drivers running around are exploitable in many ways... and signing review itself still is a joke after ID validation.

 

[Solaris17]

Just went through the PDF, this is ultra cool.

 

[R-T-B]

To all who want a picture into signing a modern open source driver:

Look here, it seems my suggested google search is turning up the wrong thread. You should start reading at my first post to save time.

Windows 10 1809 vJoy fails to install · Issue #23 · shauleiz/vJoy

The installer starts and never finish just hangs there at the very end , looks like the progress bar has reached the end but it never finish the installation . With no option left I force close the...

github.com

 

[Ferrum Master]

ATI logo... nice...

 

[OC-Ghost]

"LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash "

Anyone else remember having to enable/disable BIOS write protection setting?

 

[FinneousPJ]

Linux is a different beast altogether. Aside from proprietary NVIDIA/AMD GPU drivers everything else is open source or already in the kernel (to be fair there are RAID drivers as well but they are barely used by consumers). TLDR: This announcement has almost nothing to do with Linux.

Speaking of NVIDIA Windows drivers: they fixed a large number of vulnerabilities in their latest release which I'd recommend everyone have updated to already.

It's not impossible that something is affecting Linux users.

 

[zlobby]

The biggest lesson from this is even nonadmin code run on your machine is now very dangerous. Honestly, you should always think this way and only run trusted code, but reality makes that hard.

Intel had(ve) NSA backdoors in their firmware. Biggest GPU manufacturers have drivers like Swiss cheese. UEFI and TPM being manufactured in the deepest jungles of the far East.

Please tell me how to build a trust?

Key here is risk! Not IF your systems are breached; knowing how to act and work under presumption they already are, is the tricky part here.

"LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash "

Anyone else remember having to enable/disable BIOS write protection setting?

Of course! My BIOS write protect switch is right next to the Turbo button. Man, 40MHz Turbo is the shizzle!

 

[bug]

LoJax (first UEFI malware) can rewrite UEFI? never thought that malware can rewrite in BIOS level

Oh there have been a handful of viruses that could mess up the BIOS back in the 90s. UEFI is much easier to mess with. Because of the way it works, a simple delete of a partition can render a system unable to boot (https://superuser.com/questions/1240093/what-if-i-delete-efi-partition-from-my-drive).

 

[R-T-B]

Intel had(ve) NSA backdoors in their firmware.

Please see here and don't bother parroting that conspiracy hogwash:

Under "political notes:"

ASRock Z370/Z390 Taichi (and some others, actively modding!) Firmware with Intel Management Engine Disabled

THIS PROJECT IS PRESENTLY ON HOLD. This is simply 1.80 "Instant Flash" firmware for the Z370 Taichi (and now with help from @Mork_vom_Ork, the Z270 SuperCarrier v2.40) straight from ASRock stock unmodifed (minus some sig checks disabled) other than the Intel Management Engine firmware being...

www.techpowerup.com

I know a thing or two about this.

UEFI is much easier to mess with.

Yes and no. It's easier to machine read, but has some more protections to circumvent.

Please tell me how to build a trust?

In short, you can't. But you can at least use secureboot as a start... but it's still, as I said, a broken mess. Part of my point.

 

[biffzinker]

Will this accelerate the move to Universal Windows Drivers?

 

[R-T-B]

Will this accelerate the move to Universal Windows Drivers?

1903 has already made pushes in that direction, so yes, it's already begun.

 

[Bitgod]

MSI is all "We're too busy having our one guy making updated BIOSes for the AMD boards, we don't have time for this right now. We'll get back to you next year if you remind us"

 

[zlobby]

MSI is all "We're too busy having our one guy making updated BIOSes for the AMD boards, we don't have time for this right now. We'll get back to you next year if you remind us"

Judging by the quality and the frequency of UEFI releases of other vendors, I think it is a common thing nowadays.

Heck, it wouldn't surprise me if mobo vendors have just a couple of guys for UEFI development. Lord help us when on of them is on a leave.

 

[BorgOvermind]

This is a Microsoft problem more than the other 40 companies.

How else can they run their spy programs ?
There has to be a high number of exploitables...and they are.
Driver-level access is like a root access so that's why many 'goodies' will try to exploit that.