Security Researcher Finds 34 Windows Driver Flaws That Allow Full Takeover

hacker encryption
In case you weren't aware, VMware operates a security arm called Carbon Black. On Halloween, Carbon Black's Threat Analysis Unit (TAU) announced that it had found 34 different vulnerable Windows drivers that had firmware access. To be clear, that's 34 unique filenames; the actual number of different driver files is 237.

takahiro haruyama tweet carbon black tau

What do we mean when we say "vulnerable"? Well, these are third-party driver files that can be used by a non-admin user to modify or erase the system firmware. To put it as clearly as possible: these drivers could allow an attacker that gains basic user access to your system to nuke or alter your system's UEFI firmware.

erased firmware
TAU managed to blank the system firmware on the test rig.

Those aren't the only functions that some of these drivers allow. Six of the drivers grant kernel-level memory access, allowing an attacker to elevate themselves or really do whatever they want. An additional twelve of the drivers could allow a bad actor to modify the system's model-specific registers (MSRs.) This could allow them to bypass and disable security features and exploit mitigations, or simply crash the system.

TAU's blog about its findings notes the flaws in earlier research done on this topic, and then presents a different automated method of looking for these flaws using Python in combination with IDA Pro, a popular disassembler used by reverse engineers. For this effort, TAU focused on drivers that include the ability to access firmware through port I/O and memory-mapped I/O.

Affected drivers: stdcdrv64.sys, IoAccess.sys, GEDevDrv.SYS, GtcKmdfBs.sys, PDFWKRNL.sys, TdkLib64.sys, phymem_ext64.sys, rtif.sys, cg6kwin2k.sys, RadHwMgr.sys, FPCIE2COM.sys, ecsiodriverx64.sys, sysconp.sys, ngiodriver.sys, avalueio.sys, tdeio64.sys, WiRwaDrv.sys, CP2X72C.SYS, SMARTEIO64.SYS, AODDriver.sys, dellbios.sys, stdcdrvws64.sys, sepdrv3_1.sys, kerneld.amd64, hwdetectng.sys, VdBSv64.sys, nvoclock.sys, rtport.sys, ComputerZ.sys, SBIOSIO64.sys, SysInfoDetectorX64.sys, nvaudio.sys, FH-EtherCAT_DIO.sys, atlAccess.sys
Many of the exploitable drivers that TAU found are from major vendors, like Intel, AMD, and Dell, just to name a few. These aren't shady third-party programs downloaded from some sketchy malware site, but official drivers installed by these corporations for their own purposes—typically firmware updates.

windows11 updated exploit
The vendors demonstrated their exploit on a fully-patched Windows 11 system.

Concerningly, while TAU reported these flaws to the vendors, only two of them actually fixed the problems. Phoenix Technologies patched its TdkLib64.sys driver, and AMD updated PDFWKRNL.SYS, too. That leaves numerous exploitable drivers out there in the wild, although up-to-date version of Windows 11 will block a few of them through its Hypervisor-Protected Code Integrity feature. HVCI is supposed to work on Windows 10, too, but security researcher Will Dormann remarks that it seems to be ignoring the driver blocklist at this time.