BYOVD Unveiled: Hunting and Exploring Vulnerabilities in Device Drivers
Malicious program authors often exploit vulnerabilities in popular software programs and employ various methods to circumvent security measures such as antivirus software, sandboxing, and intrusion detection systems. Precisely, threat actors have begun using vulnerable legitimate drivers as a means of infiltrating systems, this attack is known as BYOVD, a short form of Bring Your Own Vulnerable Driver. These drivers are responsible for facilitating communication between physical devices and the operating system, operating at a higher privilege level in kernel mode. In contrast, user mode is a less privileged mode used by various applications. By taking advantage of vulnerable drivers, attackers can execute actions without verifying the process or privileges of the caller. Numerous vulnerable drivers from different software and hardware vendors, such as LOLDrivers[2], have already been identified.
Generally threat actors use malicious payload; these are often detected by antivirus products / anti malware tools. But, by leveraging the known signed drivers from different hardware and software vendors creates less suspicion. Historical instances reveal ransomware groups [3] exploiting driver vulnerabilities to disable antivirus and EDR security tools, with APT groups like Lazarus [4] similarly leveraging these weaknesses.
Our objective is to uncover and examine vulnerable drivers designed to run on different Windows versions ( x86-64 architecture) that may be susceptible to exploitation by malicious individuals. During our investigation, we uncovered several digitally signed vulnerable drivers from reputable vendors, some of which lacked adequate measures to authenticate the calling process. Our research encompasses a range of techniques for manipulating driver functionality from user mode. It includes various approaches for exploiting driver functionality by making calls from user mode.