Security researchers from Eclypsium have found common design flaws in more than 40 kernel drivers from 20 different hardware vendors. During a talk at the DEF CON 27 security conference in Las Vegas, researchers detailed these common design flaws. These flaws allow low-privileged applications to use legitimate driver functions to execute malicious actions in the most sensitive areas of the Windows operating system. This even includes executing malicious actions in the Windows kernel.
“There are a number of hardware resources that are normally only accessible by privileged software such as the Windows kernel and need to be protected from malicious read/write from user space applications,” Mickey Shkatov, Principal Researcher at Eclypsium told ZDNet. “The design flaw surfaces when signed drivers provide functionality which can be misused by user space applications to perform arbitrary read/write of these sensitive resources without any restriction or checks from Microsoft.”
Shkatov blames bad coding practices that don’t take security into account for the issues discovered by Eclypsium. “This is a common software design anti-pattern where, rather than making the driver only perform specific tasks, it’s written in a flexible way to just perform arbitrary actions on behalf of userspace,” he told ZDNet.
He also said that it is easier to develop software by structuring drivers and applications this way. However, the process opens the system up for exploitation. Shkatov confirmed that Eclypsium has notified each of the hardware vendor that were shipping drivers allowing user space apps to run kernel code. Among the vendors affected, some of them have already issued updates. These include American Megatrends, ASRock, ASUSTeK Computer, ATI Technologies (AMD), Biostar, EVGA, Getac, GIGABYTE, Huawei, Insyde, Intel, Micro-Star International (MSI), NVIDIA, Phoenix Technologies, Realtek Semiconductor, SuperMicro and Toshiba.
The researcher also confirmed that he did not name all the vendors impacted since some of them “needed extra time due to special circumstances”. All the impacted vendors will release fixes and advisories in the future. Eclypsium plans to publish the list of affected drivers and their hashes on GitHub. This will allow users and administrators to block the affected drivers.