Bring Your Own Vulnerable Kernel Driver/BYOVKD
BYOVKD is the technique of exploiting a target system via a vulnerable, signed kernel driver which an implant brings along with itself and loads to bootstrap into the Kernel.
Note that this technique requires an attacker to have already gained High-IL code execution in Ring 3 or in simpler words, it needs administrative privileges since it involves loading a driver and such. Also, note that Microsoft does not consider Ring 3(High-IL) -> Ring 0 a serviceable security boundary but even then there are some quirks when we look at productizing our exploits.
Think of it as a proxy driver that we drop'n'load onto a target system to help us step into the Ring-0 realm.
But why is such a proxy even required? Why can't we directly load our rootkits or Kernel-Mode keyloggers or what have you?
The answer is quite simple. With modern OS mitigations like Driver Signature Enforcement(DSE), we need to properly sign Kernel drivers for them to load. This implies that we can either steal such valid code-signing certificates or somehow acquire them anonymously, both of which are non-trivial tasks. Abusing proxy drivers is the Tertia Optio(third option) which is a very viable alternative where we abuse a legitimately signed driver to execute our code in Kernel-Mode.
There are many attractive pros of adopting BYOVKD. Some of them are:
1. There are so many signed proxy drivers available to us that blacklisting all of them is virtually impossible and we all know how hard maintaining whitelisting can be2. A signed driver is forever. Signature revocation if not impossible is almost certainly improbable
BYOVKD represents Third Generation Kernel Threats where we introduce a vulnerable third-party driver into the environment to exploit it as compared to Second Generation Kernel Threats where the vulnerable driver is shipped with the OS itself. Now, it goes without saying that the latter is much stealthier and advanced than the former while subsequently being rarer, expensive and more difficult to exploit.
There are basically two types of attacks we can perform using BYOVKD:
1. Data-only attacks2. Ring-0 code execution
Note that we will not be looking at EoP scenarios using BYOVKDfor that is more relevant for LOCAL 2nd Gen kernel threats. The reason being that we are already in High-IL and there are better ways of elevating privileges to local SYSTEM account from User-Mode.
Although, BYOVKD is not commonly seen in intrusions, over the years there are some highly publicised cases of this technique being used by Nation-states for CNE operations. Some of them are:
Actor/Implant | Driver Name/Product | CVE ID |
NSA-TAO/GrayFish/SolarTime | ElbyCDIO.sys(SlySoft AnyDVD) | CVE-2009-0824 |
FSB/Uroburos | VBoxDrv.sys(Oracle VirtualBox) | CVE-2008-3431 |
MSS/Derusbi | Nicm.sys(Novell XTier) | CVE-2013-3956 |
NSA-TAO/Project Sauron | SandBox.sys(Agnitum Outpost Firewall PRO), AswSnx.sys(Avast Internet Security) | CVE-2006-5721, CVE-2015-8620 |
CIA/White Lambert | Sandra.sys(SiSoftware Sandra) | CVE-2010-1592 |
USSOCOM-JSOC-CNOS/Slingshot | Sandra.sys(SiSoftware Sandra), ElbyCDIO.sys(SlySoft AnyDVD), Speedfan.sys(Almico SpeedFan) | CVE-2010-1592, CVE-2009-0824, CVE-2007-5633 |
GRU 85th GTsSS/LoJax | RwDrv.sys(RWEverything) | N.A. |
FSB/InvisiMole | Speedfan.sys(Almico SpeedFan) | CVE-2007-5633 |
Unk16/AcidBox/MagicScroll | VBoxDrv.sys(Oracle VirtualBox) | N.A. |
PLA Unit 61398/Moriya | VBoxDrv.sys(Oracle VirtualBox) | CVE-2008-3431 |
Candiru/DevilsTongue | physmem.sys(Hilscher Physical Memory Viewer) | N.A. |
There are also recorded cases of ransomware and other commodity malware such as TrickBot using this technique to bypass defences etc. Also, note the considerable overlap in the choice of proxy drivers.
This is by no means an exhaustive list and if you are able to find any more examples, I shall be glad to add them to the table with appropriate credits.
Naturally, we are interested in this tactic as it virtually grants us God Mode on the target machine and leads to total system compromise. In this series, we shall look at some of the exploitation scenarios and productizing them.
​Device Driver Debauchery and MSR Madness by Ryan Warns and Timothy Harrison
Special thanks to Chris Neill for taking the time out to answer some of my queries
