• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Drivers from Over 40 Manufacturers Including Intel, NVIDIA, AMD Vulnerable to Privilege Escalation Malware Attacks

Joined
Feb 29, 2016
Messages
12 (0.00/day)
No, you can sign drivers all you want: https://www.digicert.com/code-signing/driver-signing-certificates.htm

WHQL always was, and always will be, a meaningless automated test with no added benefits.

Edit: RwDrv.sys is not signed by Mircosoft:



 
Last edited:
Joined
Sep 15, 2007
Messages
3,944 (0.65/day)
Location
Police/Nanny State of America
Processor OCed 5800X3D
Motherboard Asucks C6H
Cooling Air
Memory 32GB
Video Card(s) OCed 6800XT
Storage NVMees
Display(s) 32" Dull curved 1440
Case Freebie glass idk
Audio Device(s) Sennheiser
Power Supply Don't even remember
Wrong. You need to go through WHQL before you can sign a kernel mode driver (the kind we are talking about). You furthermore need an EV-signing cert which requires you to run every signing by MS (as well as register your business with MS for blame reasons when something goes wrong).

I know, because I just failed to go through this wringer attempting to sign the open source driver for vjoy. I was refused due to not being a full business license grade business.

google "R-T-B vjoy 1903" and you can see my proof.

The weak points in this otherwise strong system is next to no code inspection and a total lack of use of cert revocation.

I mean... I can "sign" a driver and windows/applications believe it's legitimate. It runs in normal mode and security applications designed to to run only with signed drivers are happy.

Indeed, anyone can sign a driver in seconds for free.
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
No, you can sign drivers all you want: https://www.digicert.com/code-signing/driver-signing-certificates.htm

WHQL always was, and always will be, a meaningless automated test with no added benefits.

Yeah, you can PAY all you want. You cannot however be approved.

Google what I told you, or let me just tag our founder who knows @W1zzard. GPU-Z uses a signed kernel mode driver.

I mean... I can "sign" a driver and windows/applications believe it's legitimate. It runs in normal mode and security applications designed to to run only with signed drivers are happy.

Indeed, anyone can sign a driver in seconds for free.

Seconds? Seriously, nondevs need to get out of this discussion. No, that is not how it works and some of us actually do this for a living.

You may be able to get such a cert for apps, but not for drivers. Not at all. The issues are not in the ID-validation, but the code verification and the fact someone can use existing bad drivers to bypass it.

Example of how once admin is had (via another driver issue, like here), anything can be run/loaded unsigned:

 
Last edited:
Joined
Feb 29, 2016
Messages
12 (0.00/day)
Yeah, you can PAY all you want. You cannot however be approved.

Approved for what? You don't need anything from Microsoft. RwDrv.sys is not signed by Microsoft. Whoever made you believe this was 100% wrong.
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
40,435 (6.61/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
Approved for what? You don't need anything from Microsoft. RwDrv.sys is not signed by Microsoft. Whoever made you believe this was 100% wrong.

Did you read the article?

Did you google what I said?

Digicert is the approval agency for the cert (they issue it after you pass ID validation), you know the one you linked. You need to pass their validation. Looks like rwdrv is cross-signed by globalsign, and also subject to the older sha1 algorithm that is no longer allowed for new signatures.

Of course it is not signed by microsoft, it's signed by the applicant. It must be cross-signed by microsofts root cert agencies to be used in modern Windows though. The agencies that review these are supposedly monitored and subject to review from microsoft, but that's really kinda where things break down.

This used to be more lax but Microsoft tightened it a lot recently. And you can no longer apply under the old system. Or renew. The issue is the old drivers running around are exploitable in many ways... and signing review itself still is a joke after ID validation.
 
Last edited:

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
25,774 (3.79/day)
Location
Alabama
System Name Rocinante
Processor I9 14900KS
Motherboard EVGA z690 Dark KINGPIN (modded BIOS)
Cooling EK-AIO Elite 360 D-RGB
Memory 64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 500GB 980 Pro | 1x 1TB 980 Pro | 1x 8TB Corsair MP400
Display(s) Odyssey OLED G9 G95SC
Case Lian Li o11 Evo Dynamic White
Audio Device(s) Moondrop S8's on Schiit Hel 2e
Power Supply Bequiet! Power Pro 12 1500w
Mouse Lamzu Atlantis mini (White)
Keyboard Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD Quest 3
Software Windows 11
Benchmark Scores I dont have time for that.
Just went through the PDF, this is ultra cool.
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
To all who want a picture into signing a modern open source driver:

Look here, it seems my suggested google search is turning up the wrong thread. You should start reading at my first post to save time.

 
Joined
Nov 18, 2010
Messages
7,106 (1.46/day)
Location
Rīga, Latvia
System Name HELLSTAR
Processor AMD RYZEN 9 5950X
Motherboard ASUS Strix X570-E
Cooling 2x 360 + 280 rads. 3x Gentle Typhoons, 3x Phanteks T30, 2x TT T140 . EK-Quantum Momentum Monoblock.
Memory 4x8GB G.SKILL Trident Z RGB F4-4133C19D-16GTZR 14-16-12-30-44
Video Card(s) Sapphire Pulse RX 7900XTX + under waterblock.
Storage Optane 900P[W11] + WD BLACK SN850X 4TB + 750 EVO 500GB + 1TB 980PRO[FEDORA]
Display(s) Philips PHL BDM3270 + Acer XV242Y
Case Lian Li O11 Dynamic EVO
Audio Device(s) Sound Blaster ZxR
Power Supply Fractal Design Newton R3 1000W
Mouse Razer Basilisk
Keyboard Razer BlackWidow V3 - Yellow Switch
Software FEDORA 39 / Windows 11 insider

ATI logo... nice...
 
Joined
Oct 15, 2018
Messages
43 (0.02/day)
Location
EU
Processor Ryzen 1700 @3.8
Motherboard Asus Crosshair 6 Hero
Cooling Corsair H100i v1
Memory 16GB G.Skill F4-3200C14-8GFX
Video Card(s) Asus R9 380 4GB
Storage Samsung 840EVO 250GB, Crucial MX500 500GB, 2xWD Black 2T
Display(s) Benq 24" 144Hz 1080p
Case Antec P280
Power Supply Corsair AXi 860
Mouse Logitech G402
Keyboard Logitech G110
Software Win10 Pro
"LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash "

Anyone else remember having to enable/disable BIOS write protection setting? :)
 
Joined
Jul 26, 2019
Messages
418 (0.24/day)
Processor R5 5600X
Motherboard Asus TUF Gaming X570-Plus
Memory 32 GB 3600 MT/s CL16
Video Card(s) Sapphire Vega 64
Storage 2x 500 GB SSD, 2x 3 TB HDD
Case Phanteks P300A
Software Manjaro Linux, W10 if I have to
Linux is a different beast altogether. Aside from proprietary NVIDIA/AMD GPU drivers everything else is open source or already in the kernel (to be fair there are RAID drivers as well but they are barely used by consumers). TLDR: This announcement has almost nothing to do with Linux.

Speaking of NVIDIA Windows drivers: they fixed a large number of vulnerabilities in their latest release which I'd recommend everyone have updated to already.

It's not impossible that something is affecting Linux users.
 
Joined
Jul 10, 2017
Messages
2,671 (1.09/day)
The biggest lesson from this is even nonadmin code run on your machine is now very dangerous. Honestly, you should always think this way and only run trusted code, but reality makes that hard.

Intel had(ve) NSA backdoors in their firmware. Biggest GPU manufacturers have drivers like Swiss cheese. UEFI and TPM being manufactured in the deepest jungles of the far East.

Please tell me how to build a trust?

Key here is risk! Not IF your systems are breached; knowing how to act and work under presumption they already are, is the tricky part here.

"LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash "

Anyone else remember having to enable/disable BIOS write protection setting? :)
Of course! My BIOS write protect switch is right next to the Turbo button. Man, 40MHz Turbo is the shizzle!
 

bug

Joined
May 22, 2015
Messages
13,163 (4.07/day)
Processor Intel i5-12600k
Motherboard Asus H670 TUF
Cooling Arctic Freezer 34
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 2TB Crucial MX500
Display(s) Dell U3219Q + HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
Intel had(ve) NSA backdoors in their firmware.

Please see here and don't bother parroting that conspiracy hogwash:

Under "political notes:"


I know a thing or two about this.

UEFI is much easier to mess with.

Yes and no. It's easier to machine read, but has some more protections to circumvent.

Please tell me how to build a trust?

In short, you can't. But you can at least use secureboot as a start... but it's still, as I said, a broken mess. Part of my point.
 
Last edited:
Joined
Mar 23, 2016
Messages
4,839 (1.65/day)
Processor Ryzen 9 5900X
Motherboard MSI B450 Tomahawk ATX
Cooling Cooler Master Hyper 212 Black Edition
Memory VENGEANCE LPX 2 x 16GB DDR4-3600 C18 OCed 3800
Video Card(s) XFX Speedster SWFT309 AMD Radeon RX 6700 XT CORE Gaming
Storage 970 EVO NVMe M.2 500 GB, 870 QVO 1 TB
Display(s) Samsung 28” 4K monitor
Case Phantek Eclipse P400S (PH-EC416PS)
Audio Device(s) EVGA NU Audio
Power Supply EVGA 850 BQ
Mouse SteelSeries Rival 310
Keyboard Logitech G G413 Silver
Software Windows 10 Professional 64-bit v22H2
Will this accelerate the move to Universal Windows Drivers?
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
Will this accelerate the move to Universal Windows Drivers?

1903 has already made pushes in that direction, so yes, it's already begun.
 
Joined
Jul 10, 2017
Messages
2,671 (1.09/day)
MSI is all "We're too busy having our one guy making updated BIOSes for the AMD boards, we don't have time for this right now. We'll get back to you next year if you remind us"
Judging by the quality and the frequency of UEFI releases of other vendors, I think it is a common thing nowadays.

Heck, it wouldn't surprise me if mobo vendors have just a couple of guys for UEFI development. Lord help us when on of them is on a leave.
 
Joined
Oct 28, 2010
Messages
251 (0.05/day)
This is a Microsoft problem more than the other 40 companies.
How else can they run their spy programs ?
There has to be a high number of exploitables...and they are.
Driver-level access is like a root access so that's why many 'goodies' will try to exploit that.
 
Top