Sunday, August 11th 2019

Drivers from Over 40 Manufacturers Including Intel, NVIDIA, AMD Vulnerable to Privilege Escalation Malware Attacks

Cybersecurity research firm Eclypsium published a report titled "Screwed Drivers," chronicling a critical flaw in the design of modern device driver software from over 40 hardware manufacturers, which allows malware to gain privilege from Ring 3 to Ring 0 (unrestricted hardware access). The long list of manufacturers publishing drivers that are fully signed and approved by Microsoft under its WHQL program, includes big names such as Intel, AMD, NVIDIA, AMI, Phoenix, ASUS, Toshiba, SuperMicro, GIGABYTE, MSI, and EVGA. Many of the latter few names are motherboard manufacturers who design hardware monitoring and overclocking applications that install kernel-mode drivers into Windows for Ring-0 hardware-access.

As part of its study, Eclypsium chronicles three classes of privilege-escalation attacks exploiting device drivers, RWEverything, LoJax (first UEFI malware), SlingShot. At the heart of these are the exploitation of the way Windows continues to work with drivers with faulty, obsolete, or expired signing certificates. Eclypsium hasn't gone into the nuts-and-bolts of each issue, but has briefly defined the three in a DEF CON presentation. The firm is working by several of the listed manufacturers on mitigations and patches, and is under embargo to put out a whitepaper. RWEverything is introduced by Eclypsium as a utility to access all hardware interfaces via software. It works in user-space, but with a one-time installed signed RWDrv.sys kernel-mode driver, acts as a conduit for malware to gain Ring-0 access to your machine. LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash. Slingshot is an APT with its own malicious driver that exploits other drivers with read/write MSR to bypass driver signing enforcement to install a rootkit.
Source: Eclypsium
Add your own comment

43 Comments on Drivers from Over 40 Manufacturers Including Intel, NVIDIA, AMD Vulnerable to Privilege Escalation Malware Attacks

#26
TheGuruStud
R-T-B, post: 4096450, member: 41983"
Wrong. You need to go through WHQL before you can sign a kernel mode driver (the kind we are talking about). You furthermore need an EV-signing cert which requires you to run every signing by MS (as well as register your business with MS for blame reasons when something goes wrong).

I know, because I just failed to go through this wringer attempting to sign the open source driver for vjoy. I was refused due to not being a full business license grade business.

google "R-T-B vjoy 1903" and you can see my proof.

The weak points in this otherwise strong system is next to no code inspection and a total lack of use of cert revocation.
I mean... I can "sign" a driver and windows/applications believe it's legitimate. It runs in normal mode and security applications designed to to run only with signed drivers are happy.

Indeed, anyone can sign a driver in seconds for free.
Posted on Reply
#27
R-T-B
BoMbY, post: 4096451, member: 163247"
No, you can sign drivers all you want: https://www.digicert.com/code-signing/driver-signing-certificates.htm

WHQL always was, and always will be, a meaningless automated test with no added benefits.
Yeah, you can PAY all you want. You cannot however be approved.

Google what I told you, or let me just tag our founder who knows @W1zzard. GPU-Z uses a signed kernel mode driver.

TheGuruStud, post: 4096456, member: 42692"
I mean... I can "sign" a driver and windows/applications believe it's legitimate. It runs in normal mode and security applications designed to to run only with signed drivers are happy.

Indeed, anyone can sign a driver in seconds for free.
Seconds? Seriously, nondevs need to get out of this discussion. No, that is not how it works and some of us actually do this for a living.

You may be able to get such a cert for apps, but not for drivers. Not at all. The issues are not in the ID-validation, but the code verification and the fact someone can use existing bad drivers to bypass it.

Example of how once admin is had (via another driver issue, like here), anything can be run/loaded unsigned:

https://github.com/hfiref0x/TDL/blob/master/README.md
Posted on Reply
#28
BoMbY
R-T-B, post: 4096457, member: 41983"
Yeah, you can PAY all you want. You cannot however be approved.
Approved for what? You don't need anything from Microsoft. RwDrv.sys is not signed by Microsoft. Whoever made you believe this was 100% wrong.
Posted on Reply
#30
R-T-B
BoMbY, post: 4096461, member: 163247"
Approved for what? You don't need anything from Microsoft. RwDrv.sys is not signed by Microsoft. Whoever made you believe this was 100% wrong.
Did you read the article?

Did you google what I said?

Digicert is the approval agency for the cert (they issue it after you pass ID validation), you know the one you linked. You need to pass their validation. Looks like rwdrv is cross-signed by globalsign, and also subject to the older sha1 algorithm that is no longer allowed for new signatures.

Of course it is not signed by microsoft, it's signed by the applicant. It must be cross-signed by microsofts root cert agencies to be used in modern Windows though. The agencies that review these are supposedly monitored and subject to review from microsoft, but that's really kinda where things break down.

This used to be more lax but Microsoft tightened it a lot recently. And you can no longer apply under the old system. Or renew. The issue is the old drivers running around are exploitable in many ways... and signing review itself still is a joke after ID validation.
Posted on Reply
#31
Solaris17
Dainty Moderator
Just went through the PDF, this is ultra cool.
Posted on Reply
#32
R-T-B
To all who want a picture into signing a modern open source driver:

Look here, it seems my suggested google search is turning up the wrong thread. You should start reading at my first post to save time.

https://github.com/shauleiz/vJoy/issues/23
Posted on Reply
#33
Ferrum Master
biffzinker, post: 4096433, member: 163731"

ATI logo... nice...
Posted on Reply
#34
OC-Ghost
"LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash "

Anyone else remember having to enable/disable BIOS write protection setting? :)
Posted on Reply
#35
FinneousPJ
birdie, post: 4096349, member: 131299"
Linux is a different beast altogether. Aside from proprietary NVIDIA/AMD GPU drivers everything else is open source or already in the kernel (to be fair there are RAID drivers as well but they are barely used by consumers). TLDR: This announcement has almost nothing to do with Linux.

Speaking of NVIDIA Windows drivers: they fixed a large number of vulnerabilities in their latest release which I'd recommend everyone have updated to already.
It's not impossible that something is affecting Linux users.
Posted on Reply
#36
zlobby
R-T-B, post: 4096437, member: 41983"
The biggest lesson from this is even nonadmin code run on your machine is now very dangerous. Honestly, you should always think this way and only run trusted code, but reality makes that hard.
Intel had(ve) NSA backdoors in their firmware. Biggest GPU manufacturers have drivers like Swiss cheese. UEFI and TPM being manufactured in the deepest jungles of the far East.

Please tell me how to build a trust?

Key here is risk! Not IF your systems are breached; knowing how to act and work under presumption they already are, is the tricky part here.

OC-Ghost, post: 4096505, member: 182325"
"LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash "

Anyone else remember having to enable/disable BIOS write protection setting? :)
Of course! My BIOS write protect switch is right next to the Turbo button. Man, 40MHz Turbo is the shizzle!
Posted on Reply
#37
bug
micropage7, post: 4096353, member: 82848"
LoJax (first UEFI malware) can rewrite UEFI? never thought that malware can rewrite in BIOS level
Oh there have been a handful of viruses that could mess up the BIOS back in the 90s. UEFI is much easier to mess with. Because of the way it works, a simple delete of a partition can render a system unable to boot (https://superuser.com/questions/1240093/what-if-i-delete-efi-partition-from-my-drive).
Posted on Reply
#38
R-T-B
zlobby, post: 4096517, member: 172939"
Intel had(ve) NSA backdoors in their firmware.
Please see here and don't bother parroting that conspiracy hogwash:

Under "political notes:"

https://www.techpowerup.com/forums/threads/asrock-z370-z390-taichi-and-some-others-actively-modding-firmware-with-intel-management-engine-disabled.243939/

I know a thing or two about this.

bug, post: 4096553, member: 157434"
UEFI is much easier to mess with.
Yes and no. It's easier to machine read, but has some more protections to circumvent.

zlobby, post: 4096517, member: 172939"
Please tell me how to build a trust?
In short, you can't. But you can at least use secureboot as a start... but it's still, as I said, a broken mess. Part of my point.
Posted on Reply
#39
biffzinker
Will this accelerate the move to Universal Windows Drivers?
Posted on Reply
#40
R-T-B
biffzinker, post: 4096575, member: 163731"
Will this accelerate the move to Universal Windows Drivers?
1903 has already made pushes in that direction, so yes, it's already begun.
Posted on Reply
#41
Bitgod
MSI is all "We're too busy having our one guy making updated BIOSes for the AMD boards, we don't have time for this right now. We'll get back to you next year if you remind us"
Posted on Reply
#42
zlobby
Bitgod, post: 4096638, member: 55756"
MSI is all "We're too busy having our one guy making updated BIOSes for the AMD boards, we don't have time for this right now. We'll get back to you next year if you remind us"
Judging by the quality and the frequency of UEFI releases of other vendors, I think it is a common thing nowadays.

Heck, it wouldn't surprise me if mobo vendors have just a couple of guys for UEFI development. Lord help us when on of them is on a leave.
Posted on Reply
#43
BorgOvermind
moproblems99, post: 4096436, member: 155919"
This is a Microsoft problem more than the other 40 companies.
How else can they run their spy programs ?
There has to be a high number of exploitables...and they are.
Driver-level access is like a root access so that's why many 'goodies' will try to exploit that.
Posted on Reply
Add your own comment