Full Report
This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers.
Analysis Summary
# Vulnerability: Bring Your Own Vulnerable Driver (BYOVD) Technique Analysis
## CVE Details
- CVE ID: Not specified in the provided text. The article discusses a **technique** (BYOVD) leveraging *existing* vulnerable drivers, rather than detailing a single new vulnerability.
- CVSS Score: Not assessed.
- CWE: The underlying vulnerabilities exploited via BYOVD often involve flaws like arbitrary kernel memory read/write, which traditionally map to CWE categories such as **CWE-787 (Out-of-bounds Write)** or **CWE-125 (Out-of-bounds Read)**, depending on the specific driver flaw.
## Affected Systems
- Products: Various Windows Operating Systems (since the focus is on Windows kernel structures like `_EPROCESS`).
- Versions: Not specified. The technique applies to any system running an exploitable, vulnerable third-party Windows driver.
- Configurations: Requires an attacker to possess the ability to install or use a known, vulnerable kernel-mode driver on the target system.
## Vulnerability Description
The research focuses on the **Bring Your Own Vulnerable Driver (BYOVD)** technique, where an attacker leverages a *pre-existing* driver with known security flaws (often arbitrary kernel memory read/write) to achieve malicious goals from within kernel space.
The common malicious payloads observed exploiting these driver flaws include:
1. **Local Privilege Escalation (Admin to System/Kernel):** By reading the access token from a high-privileged process (like `System`, found via hardcoded offsets of the `_EPROCESS` structure) and overwriting the access token of a lower-privileged malicious process.
2. **Loading of Unsigned Kernel Code:** Using arbitrary kernel write capabilities to insert shellcode or a malicious unsigned driver into kernel memory space. Examples cite the use of utilities like `Lenovo Mapper`.
3. **Bypassing Security Software (EDR/Game Anti-Cheat):** Exploiting memory write flaws to terminate or subvert security mechanisms running in kernel space (e.g., the Gh0stRAT campaign using `dbutil_2_3.sys` to disable EDR via a RealBlindingEDR variant).
## Exploitation
- Status: **Exploited in the wild**. The article cites recent activity linked to ransomware groups and specific malware campaigns (Gh0stRAT).
- Complexity: Depends heavily on the specific vulnerable driver. Privilege escalation steps outlined suggest **Medium** to **High** complexity for the specific process token swapping technique.
- Attack Vector: Primarily **Local** (once kernel execution/driver installation is achieved), but the initial execution path might begin remotely or locally.
## Impact
- Confidentiality: **High**. Achieving System privileges allows for monitoring, dumping credentials, and accessing protected resources.
- Integrity: **High**. Ability to modify kernel structures, load arbitrary code, and disable critical security features (like EDR).
- Availability: **Medium to High**. Kernel crashes (BSOD) are possible, and disabling security software impacts system resilience.
## Remediation
### Patches
- **No specific CVE patches** are provided as the article summarizes a *technique* relying on myriad unknown underlying driver vulnerabilities.
- Remediation requires identifying the specific vulnerable driver being targeted and applying the patch or update released by that driver's vendor. **Exploitation often results from using outdated third-party drivers.**
### Workarounds
1. **Driver Signature Enforcement:** Ensure Windows Kernel Code Signing policies are strictly enforced (e.g., HVCI/VBS configuration) to prevent the loading of *unsigned* malicious drivers that might be dropped via the arbitrary write vulnerability.
2. **Driver Whitelisting:** Only maintain whitelisted, necessary, and up-to-date third-party drivers.
3. **Security Monitoring:** Enhance monitoring for abnormal kernel API calls related to process manipulation (`NtQuerySystemInformation`) or direct access to kernel structures (`_EPROCESS`).
## Detection
- **Indicators of Compromise (IOCs):** Indicators relate to the specific payloads used (e.g., `nthandlecallback.exe`, `dbutil_2_3.sys`, `EDR.exe`).
- **Detection Methods and Tools:**
* Monitor for unauthorized installation or execution of **third-party kernel drivers**.
* Look for security solutions (EDR) being unexpectedly terminated or modified.
* Monitor for kernel memory integrity violations.
* Use Endpoint Detection and Response (EDR) tools capable of tracking highly suspicious kernel function calls related to token manipulation or direct memory manipulation by third-party kernel modules.
## References
- Vendor advisories: Not applicable as this is a technique summary; relies on previous driver research advisories.
- Relevant links:
* cisco talos post - exploring malicious windows drivers part 2 (link defanged)
* Lenovo Mapper (github dot com/estimated1337/lenovo\_mapper)
* RealBlindingEDR (github dot com/myzxcg/RealBlindingEDR)
* Archived conference presentation on BYOVD concepts (avar dot org/cybersecurity-conference)