• Who We Are
  • Our Solution
  • Our Services
  • Memberships and Partners
  • Contact Us
BITM, November 20 2023

Bringing your own vulnerable drivers to bypass defenses.

In the world of operating systems, a driver is a specialized type of software that allows the operating system to communicate and interact with a hardware device. Basically, it serves as a translator between the hardware and the software layers of the computer system. Each piece of hardware connected to a your computer, from the simplest peripherals like a mouse or keyboard to more complex components like a graphics card or a network adapter, requires a driver to function properly.

Image: https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/what-is-a-driver-

Keeping drivers up-to-date is not only important for performance reasons, but also for security. Software updates will often include patches for security vulnerabilities that were recently disclosed to the vendor.

Software vulnerabilities are flaws or weaknesses in a software program or system that can be exploited by attackers to gain unauthorized access or cause harm to a system. They can exist in operating systems, applications, embedded systems, and even in hardware components.

After understanding the mechanics of the vulnerability, an attacker will develop an exploit. An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of the vulnerability to cause unintended behavior in the software system. This process is what's called "weaponizing a vulnerability". and could range from gaining control over the system, accessing restricted data, or disrupting normal operations.

The lifecycle of a vulnerability often ends with the software vendors issuing a patch or update to fix the flaw. However, until these patches are applied, systems remain at risk. This situation is often exploited in what is known as a “zero-day” attack, where attackers use the vulnerability before the developers have a chance to address it. Therefore, timely patch management and staying informed about emerging vulnerabilities are crucial aspects of cyber security.

The Bring Your Own Vulnerable Driver (BYOVD) attack is a post-compromise techniques where attackers exploit vulnerabilities in legitimate, often outdated or unpatched, drivers to gain elevated privileges or execute malicious actions on a target system. These are some of the reason why this techniques has gained popularity among attackers in the last year or so:

The following demonstration will show how to disable Windows Defender using a BYOVD attack (https://github.com/ZeroMemoryEx/Blackout ). After that, MimiKatz will be used to dump the credentials of the users that have logged into the machine. Since the privileges that the vulnerable driver is running in (the same as Windows Defender), the exploit can be used to disable the Anti-Virus and give a potential attacker unrestricted access to the machine.

Before the exploit, the PID is gathered. The process name "MsMpEng.exe" is running on process number "2712". The administrator shell is also opened in the directory containing both the vulnerable driver and the weaponized exploit. Windows Defender is currently running and active.

After running the exploit, the privileged process containing Windows Defender is killed and the security service is disabled. This leaves the device vulnerable to further attacks.

An attacker can now easily install and run their offensive tooling and perform further post-exploitation attacks on the device such as gathering hashes with MimiKatz.

References

 Author: G. Botha 

Written by

BITM

Previous Living-of-the-Land attacks
Next Top 10 Exploited Vulnerabilities and Web3 Attacks in 2023