In context: Modern Windows versions support device drivers written through the Windows Driver Model (WDM) and the Windows Driver Frameworks (WDF). Both models can be exploited to compromise a fully updated Windows installation, essentially obtaining unrestricted control over a vulnerable system.
Bug hunters at the VMware Threat Analysis Unit (TAU) discovered 34 unique vulnerable Windows drivers, with 237 different file hashes belonging to legacy devices. Even though many of these drivers have revoked or expired security certificates, companies and other organizations are still using them to support old hardware across various industries.
VMware’s TAU discovered this “unique” attack vector by implementing a static analysis automation script, finding that 30 WDM and 4 WDF drivers with firmware access could provide full control of devices to non-admin users. Windows 11 now blocks vulnerable drivers by default through the Hypervisor-Protected Code Integrity (HVCI) feature; however, TAU analysts were able to load the newly-discovered drivers on HVCI-enabled Windows 11 systems, with the exception of five.
By exploiting the vulnerable drivers, TAU said, malicious actors without system privileges could erase or alter a machine’s firmware, elevate access privileges, disable security features, install antivirus-resistant bootkits, and more. Previous research on vulnerable drivers focused exclusively on the older WDM model, but VMware analysts were able to detect issues within the newer WDF drivers as well.
After discovering the flawed drivers, the researchers developed potent proof-of-concept (PoC) exploits to practically demonstrate their findings. A PoC for an AMD driver (pdfwkrnl.sys) could run the command prompt (cmd.exe) with “system integrity level” on a HVCI-enabled Windows 11 OS, while yet another PoC could provide firmware-erasing capabilities (the first 4KB data in the firmware’s own SPI flash memory, at least) on Intel Apollo SoC platforms.
While a lot of vulnerable drivers have already been reported by researchers, TAU said that their new analysis methodology was good enough to find new ones still having valid signatures. Microsoft tries to fight the vulnerable driver issue with a “banned-list” method, but TAU is proposing a more comprehensive approach for the future.
VMware analysts are releasing their scripts and PoC as open-source code on GitHub. They also provide instructions “limited” to firmware access, but the code can easily be extended to cover other attack vectors. The IoC (Indicators of Compromise) list of vulnerable drivers has been made public and is accessible through the Living Off The Land Drivers watchlist.