VMware exploited 34 susceptible tool drivers to benefit full manage of Windows 11

Modern Windows versions assist tool drivers written thru the Windows Driver Model (WDM) and the Windows Driver Frameworks (WDF). Both models may be exploited to compromise a totally up to date Windows installation, essentially obtaining unrestricted manage over a susceptible system.

Bug hunters at the VMware Threat Analysis Unit (TAU) discovered 34 specific inclined Windows drivers, with 237 one-of-a-kind document hashes belonging to legacy gadgets. Even though a lot of these drivers have revoked or expired safety certificate, businesses and different businesses are still the use of them to assist old hardware throughout diverse industries.

VMware's TAU located this "unique" assault vector by using imposing a static evaluation automation script, finding that 30 WDM and four WDF drivers with firmware get right of entry to may want to provide full manage of gadgets to non-admin customers. Windows eleven now blocks inclined drivers via default via the Hypervisor-Protected Code Integrity (HVCI) characteristic; but, TAU analysts have been capable of load the newly-observed drivers on HVCI-enabled Windows eleven systems, aside from five.

By exploiting the vulnerable drivers, TAU said, malicious actors with out machine privileges should erase or modify a machine's firmware, increase get right of entry to privileges, disable safety functions, set up antivirus-resistant bootkits, and more. Previous research on susceptible drivers targeted solely on the older WDM version, however VMware analysts were able to discover troubles within the newer WDF drivers as nicely.

After discovering the incorrect drivers, the researchers developed effective evidence-of-idea (PoC) exploits to practically demonstrate their findings. A PoC for an AMD driver (pdfwkrnl.Sys) ought to run the command activate (cmd.Exe) with "device integrity degree" on a HVCI-enabled Windows 11 OS, at the same time as but every other PoC ought to offer firmware-erasing abilties (the first 4KB information inside the firmware's very own SPI flash memory, at the least) on Intel Apollo SoC systems.

While a variety of susceptible drivers have already been reported by researchers, TAU said that their new analysis methodology became desirable sufficient to locate new ones nonetheless having valid signatures. Microsoft tries to combat the susceptible driving force difficulty with a "banned-listing" technique, but TAU is providing a more complete technique for the destiny.

VMware analysts are freeing their scripts and PoC as open-supply code on GitHub. They additionally provide commands "limited" to firmware access, however the code can effortlessly be prolonged to cover different attack vectors. The IoC (Indicators of Compromise) listing of vulnerable drivers has been made public and is obtainable through the Living Off The Land Drivers watchlist.