Device Drivers at Risk
New Windows vulnerability reveals what could be the next big target for attackers
July 12, 2006
Now there's another weak link to worry about: the device driver. The vulnerability in Microsoft's Windows Server Service revealed in yesterday's Patch Tuesday fixes was a chilling preview of the risks associated with today's device drivers. (See The Patch Race Is On.)
The hole in Windows Server Service is one of the first and most high-profile device-driver vulnerabilities to emerge, and it's a topic that's been near and dear for some time to David Maynor, senior security researcher for SecureWorks. Maynor, along with researcher and graduate student Jon Ellch, will give a presentation on device-driver vulnerabilities on August 2 at the Black Hat Conference in Las Vegas.
"In the last year, I've theorized that we will see a lot more of these types of device-driver attacks and this is one example" of the threat, Maynor says. Device-driver code is often written in a patchwork manner, typically by both hardware and software engineers and with no regard to security, he says. Plus there's no certification process for this code, so it can easily be manipulated.
That's what makes device drivers for network cards, printers, wireless access points, video cards, and servers such tempting targets for attackers. "As the operating system hardens, attackers will take the path of least resistance," he says.
Maynor says the goal of his and Ellch's Black Hat presentation will be to dispel the theory that exploiting a device driver is just too complicated for most attackers. Critics say such an attack isn't likely because an attacker would need to know details on the hardware, such as its chipset. But Ellch will demonstrate at Black Hat how attackers can gather that information, using a research tool he developed. "It will show that this [attack] is possible."
Meanwhile, Microsoft's server device driver, a .sys file, is a slightly different animal than the typical hardware device driver for say, a printer or wireless access point, but it's susceptible to the same kinds of attacks, Maynor says.
Device drivers run with the highest operating system privileges, so if an attacker compromises Microsoft's .sys Server Service file or a printer device driver, he or she can modify anything on the system. And the Microsoft hole would be the ideal place to insert a rootkit and hide out, Maynor says. All an attacker would have to do to initially infect a device driver is craft a packet and send it off to the machine, which becomes compromised once it receives the packet.
So far, there have been no exploits targeting Microsoft's server hole, but Maynor says it's a matter of time, especially now that the Microsoft vulnerability has been publicized. "And it's possible there's something out there already that we just haven't seen yet."
But device-driver vulnerability isn't just a Windows problem. It goes hand in hand with every OS, from Linux to Mac OS X. And third-party hardware vendors such as Intel and ATI write their own drivers, so Microsoft has little, if any, control over their security, even with its recent security initiatives. "They aren't subject to the same stringent security Microsoft implements now," Maynor says.
So how can you protect your organization from a device driver attack? Maynor says it's more of a policy issue. "Don't add extraneous equipment you don't need to the network. Every piece of equipment makes it easier for this type of attack."
The researchers will also demonstrate one laptop attacking another over WiFi over an 802.11 device driver at the Black Hat session, as well as a couple other demos they won't reveal at this time.
— Kelly Jackson Higgins, Senior Editor, Dark Reading
Microsoft Corp. (Nasdaq: MSFT)
About the Author
You May Also Like