• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Drivers from Over 40 Manufacturers Including Intel, NVIDIA, AMD Vulnerable to Privilege Escalation Malware Attacks

Joined
Sep 15, 2007
Messages
3,617 (0.83/day)
Location
Police/Nanny State of America
System Name More hardware than I use :|
Processor 4.7 8350 - 4.2 4560K - 4.4 4690K
Motherboard Sabertooth R2.0 - Gigabyte Z87X-UD4H-CF - AsRock Z97M KIller
Cooling Mugen 2 rev B push/pull - Hyper 212+ push/pull - Hyper 212+
Memory 16GB Gskill - 8GB Gskill - 16GB Ballistix 1.35v
Video Card(s) Xfire OCed 7950s - Powercolor 290x - Oced Zotac 980Ti AMP! (also have two 7870s)
Storage Crucial 250GB SSD, Kingston 3K 120GB, Sammy 1TB, various WDs, 13TB (actual capactity) NAS with WDs
Display(s) X-star 27" 1440 - Auria 27" 1440 - BenQ 24" 1080 - Acer 23" 1080
Case Lian Li open bench - Fractal Design ARC - Thermaltake Cube (still have HAF 932 and more ARCs)
Audio Device(s) Titanium HD - Onkyo HT-RC360 Receiver - BIC America custom 5.1 set up (and extra Klipsch sub)
Power Supply Corsair 850W V2 - EVGA 1000 G2 - Seasonic 500 and 600W units (dead 750W needs RMA lol)
Mouse Logitech G5 - Sentey Revolution Pro - Sentey Lumenata Pro - multiple wireless logitechs
Keyboard Logitech G11s - Thermaltake Challenger
Software I wish I could kill myself instead of using windows (OSX can suck it too).
Wrong. You need to go through WHQL before you can sign a kernel mode driver (the kind we are talking about). You furthermore need an EV-signing cert which requires you to run every signing by MS (as well as register your business with MS for blame reasons when something goes wrong).

I know, because I just failed to go through this wringer attempting to sign the open source driver for vjoy. I was refused due to not being a full business license grade business.

google "R-T-B vjoy 1903" and you can see my proof.

The weak points in this otherwise strong system is next to no code inspection and a total lack of use of cert revocation.
I mean... I can "sign" a driver and windows/applications believe it's legitimate. It runs in normal mode and security applications designed to to run only with signed drivers are happy.

Indeed, anyone can sign a driver in seconds for free.
 
Joined
Aug 20, 2007
Messages
11,441 (2.61/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) Onboard Toslink to Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64
No, you can sign drivers all you want: https://www.digicert.com/code-signing/driver-signing-certificates.htm

WHQL always was, and always will be, a meaningless automated test with no added benefits.
Yeah, you can PAY all you want. You cannot however be approved.

Google what I told you, or let me just tag our founder who knows @W1zzard. GPU-Z uses a signed kernel mode driver.

I mean... I can "sign" a driver and windows/applications believe it's legitimate. It runs in normal mode and security applications designed to to run only with signed drivers are happy.

Indeed, anyone can sign a driver in seconds for free.
Seconds? Seriously, nondevs need to get out of this discussion. No, that is not how it works and some of us actually do this for a living.

You may be able to get such a cert for apps, but not for drivers. Not at all. The issues are not in the ID-validation, but the code verification and the fact someone can use existing bad drivers to bypass it.

Example of how once admin is had (via another driver issue, like here), anything can be run/loaded unsigned:

 
Last edited:
Joined
Feb 29, 2016
Messages
9 (0.01/day)
Yeah, you can PAY all you want. You cannot however be approved.
Approved for what? You don't need anything from Microsoft. RwDrv.sys is not signed by Microsoft. Whoever made you believe this was 100% wrong.
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
26,733 (6.03/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
Joined
Aug 20, 2007
Messages
11,441 (2.61/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) Onboard Toslink to Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64
Approved for what? You don't need anything from Microsoft. RwDrv.sys is not signed by Microsoft. Whoever made you believe this was 100% wrong.
Did you read the article?

Did you google what I said?

Digicert is the approval agency for the cert (they issue it after you pass ID validation), you know the one you linked. You need to pass their validation. Looks like rwdrv is cross-signed by globalsign, and also subject to the older sha1 algorithm that is no longer allowed for new signatures.

Of course it is not signed by microsoft, it's signed by the applicant. It must be cross-signed by microsofts root cert agencies to be used in modern Windows though. The agencies that review these are supposedly monitored and subject to review from microsoft, but that's really kinda where things break down.

This used to be more lax but Microsoft tightened it a lot recently. And you can no longer apply under the old system. Or renew. The issue is the old drivers running around are exploitable in many ways... and signing review itself still is a joke after ID validation.
 
Last edited:

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
20,661 (4.04/day)
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 2x 2TB Micron SSDs | 1x ADATA 128SSD | 1x Drevo 256SSD | 1x 1TB 850 EVO | 1x 250GB 960 EVO
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Kone Aimo White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
Just went through the PDF, this is ultra cool.
 
Joined
Aug 20, 2007
Messages
11,441 (2.61/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) Onboard Toslink to Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64
To all who want a picture into signing a modern open source driver:

Look here, it seems my suggested google search is turning up the wrong thread. You should start reading at my first post to save time.

 
Joined
Nov 18, 2010
Messages
4,602 (1.44/day)
Location
Rīga, Latvia
System Name HELLSTAR
Processor Intel 5960X @ 4.4GHz
Motherboard Gigabyte GA-X99-UD3
Cooling Custom Loop. 360+240 rads.
Memory 4x8GB Corsair Vengeance LPX 2966MHz 16-17-17-35
Video Card(s) ASUS 1080 Ti FE + water block
Storage Optane 900P + Samsung PM981 NVMe 1TB + 750 EVO 500GB
Display(s) Philips PHL BDM3270
Case Phanteks Enthoo Evolv ATX Tempered Glass
Audio Device(s) Sound Blaster ZxR
Power Supply Fractal Design Newton R3 1000W
Mouse Razer Basilisk
Keyboard Razer Deathstalker
Software Windows 10 insider
ATI logo... nice...
 
Joined
Oct 15, 2018
Messages
14 (0.05/day)
Location
EU
Processor Ryzen 1700 @3.8 1.37V
Motherboard Asus Crosshair 6 Hero
Cooling Corsair H100i
Memory 16GB G.Skill F4-3200C14-8GFX
Video Card(s) Asus R9 380 4GB
Storage Kingston HyperX 3k 120GB, Samsung 840EVO 250GB, 2xWD Black 2T
Display(s) Benq 24" 144Hz 1080p
Case Antec P280
Power Supply Corsair AXi 860
Mouse Logitecg G402
Keyboard Logitech G110
Software Win10 Pro
"LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash "

Anyone else remember having to enable/disable BIOS write protection setting? :)
 
Joined
Jul 26, 2019
Messages
44 (1.91/day)
Processor R7 1700 non-X @ 4.0 GHz
Motherboard Gigabyte AORUS Gaming 5
Cooling Noctua
Memory 32 GB 3200 MT/s CL16
Video Card(s) Sapphire Vega 64
Storage 2x 500 GB SSD, 2x 3 TB HDD
Case Silverstone FT02
Software Manjaro Linux, W10 if I have to
Linux is a different beast altogether. Aside from proprietary NVIDIA/AMD GPU drivers everything else is open source or already in the kernel (to be fair there are RAID drivers as well but they are barely used by consumers). TLDR: This announcement has almost nothing to do with Linux.

Speaking of NVIDIA Windows drivers: they fixed a large number of vulnerabilities in their latest release which I'd recommend everyone have updated to already.
It's not impossible that something is affecting Linux users.
 
Joined
Jul 10, 2017
Messages
115 (0.15/day)
The biggest lesson from this is even nonadmin code run on your machine is now very dangerous. Honestly, you should always think this way and only run trusted code, but reality makes that hard.
Intel had(ve) NSA backdoors in their firmware. Biggest GPU manufacturers have drivers like Swiss cheese. UEFI and TPM being manufactured in the deepest jungles of the far East.

Please tell me how to build a trust?

Key here is risk! Not IF your systems are breached; knowing how to act and work under presumption they already are, is the tricky part here.

"LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash "

Anyone else remember having to enable/disable BIOS write protection setting? :)
Of course! My BIOS write protect switch is right next to the Turbo button. Man, 40MHz Turbo is the shizzle!
 

bug

Joined
May 22, 2015
Messages
6,337 (4.09/day)
Processor Intel i5-6600k
Motherboard ASRock Z170 Extreme7+
Cooling Arctic Cooling Freezer i11
Memory 2x8GB DDR4 2400 G.Skill
Video Card(s) EVGA GTX 1060 SC
Storage 128 and 256GB OCZ Vertex4, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 3TB Seagate
Display(s) HP ZR24w
Case Chieftec BX01
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Joined
Aug 20, 2007
Messages
11,441 (2.61/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) Onboard Toslink to Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64
Intel had(ve) NSA backdoors in their firmware.
Please see here and don't bother parroting that conspiracy hogwash:

Under "political notes:"


I know a thing or two about this.

UEFI is much easier to mess with.
Yes and no. It's easier to machine read, but has some more protections to circumvent.

Please tell me how to build a trust?
In short, you can't. But you can at least use secureboot as a start... but it's still, as I said, a broken mess. Part of my point.
 
Last edited:
Joined
Mar 23, 2016
Messages
2,494 (2.01/day)
Processor Ryzen 5 3600
Motherboard MSI B350M Gaming Pro
Cooling Scythe Kotetsu with AM4 bracket
Memory PNY Anarchy-X XLR8 Red DDR4 3200 MHz C15-17-17-17-35
Video Card(s) MSI GeForce RTX 2060 GAMING Z 6G
Storage Samsung 970 EVO NVMe M.2 500 GB, SanDisk Ultra II 480 GB
Display(s) Samsung SyncMaster C27H711 OC refresh rate 110Hz
Case Phantek Eclipse P400S (PH-EC416PS)
Audio Device(s) On-board dead - Creative Labs Sound Blaster Audigy Rx
Power Supply EVGA 850 BQ
Mouse SteelSeries Rival 310
Keyboard Logitech G G413 Silver
Software Windows 10 Professional 64-bit v1903
Will this accelerate the move to Universal Windows Drivers?
 
Joined
Aug 20, 2007
Messages
11,441 (2.61/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) Onboard Toslink to Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64
Will this accelerate the move to Universal Windows Drivers?
1903 has already made pushes in that direction, so yes, it's already begun.
 
Joined
Jul 10, 2017
Messages
115 (0.15/day)
MSI is all "We're too busy having our one guy making updated BIOSes for the AMD boards, we don't have time for this right now. We'll get back to you next year if you remind us"
Judging by the quality and the frequency of UEFI releases of other vendors, I think it is a common thing nowadays.

Heck, it wouldn't surprise me if mobo vendors have just a couple of guys for UEFI development. Lord help us when on of them is on a leave.
 
Joined
Oct 28, 2010
Messages
194 (0.06/day)
This is a Microsoft problem more than the other 40 companies.
How else can they run their spy programs ?
There has to be a high number of exploitables...and they are.
Driver-level access is like a root access so that's why many 'goodies' will try to exploit that.
 
Top