VDR

VDR copied to clipboard

#+OPTIONS: ^:{}

#+TITLE: Vulnerable Driver Research

** Writeup

[[https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html][Static Analysis Automation for Hunting Vulnerable Kernel Drivers]]

** Discovered Vulnerable Drivers

All give full control of the devices to non-admin users. The list in each file contains driver names, hashes, signer information, other arbitrary read/write vulnerabilities and so on.

• result_firmware.org :: Drivers with firmware access allowing arbitrary port I/O & memory mapped I/O

** Tool

• ida_ioctl_propagate.py :: IDAPython script for automating static code analysis of x64 vulnerable drivers
• ioctl_batch.py :: Python wrapper script to run in IDA batch mode for triage

Note: The script will not work for x86 drivers.

You need the 3rd-party WDF type information ([[https://github.com/IOActive/kmdf_re][kmdf_re]]). Please clone with the submodule.

#+BEGIN_SRC git clone --recurse-submodules https://github.com/TakahiroHaruyama/VDR.git #+END_SRC

** Exploit PoCs

The exploit PoCs are located in the PoCs directory.

** Reference

• [[https://github.com/eclypsium/Screwed-Drivers][ScrewedDrivers]]
• [[https://dl.acm.org/doi/pdf/10.1145/3564625.3564631][POPKORN: Popping Windows Kernel Drivers At Scale]]
• [[https://www.loldrivers.io/][Living Off The Land Drivers]]