DAVID Baptiste
Dr. Baptiste David is an IT security specialist at ERNW, specialized in Windows operating system. His research is mainly focused on reverse engineering, security of the Windows operating system platform, kernel drivers and vulnerability research. He also worked for couple of antivirus companies. He has given special courses and trainings in different universities in Europe. Also, he gives regularly talks on different conferences including Black Hat USA, Defcon, TROOPERS, Zero Night, C0c0n, NullCon, EICAR, ECCWS…
Session
Which forensic enthusiast has never used Volatility or Velociraptor? Typically, those are the first software deployed on an infected machine to recover all data in memory, for subsequent analysis. Under the hood, software rely on a driver called WinPmem to capture the relevant information.
The problem? This driver used by many experts is obsolete and has some serious vulnerabilities. For example, CVE-2024-10972 allows you to effortlessly perform a BSOD on the target machine, effectively stopping any forensic procedure. The perfect illustration of the time-to-check-time-to-use (TOCTOU) technique. But there is more, the CVE-2024-12668 allows a malware in memory to erase itself from that memory! A paradox when considering that a forensic tool offers sufficient capabilities to escape that same forensic tool. As an additional bonus specific to WinPmem, the driver allows malware to load any unsigned drivers of their choice. Not only does this undermine any forensic analysis, but it also provides an elegant means of achieving privilege escalation for administrator to execute unsigned drivers. In fact, WinPmem can easily be included in the list “bring your own vulnerable driver” (BYOVD).
This talk explains in detail the two CVEs we found on this driver. More than that, we provide concise and illustrated explanations about how a driver works in Windows and the main steps involved in finding vulnerabilities in it. Enough to enrich the list of “loldrivers” for everyone in the room. More generally, the talk aims to present the difficulties of kernel development (that we could observe with CrowdStrike’s BSOD), discuss the future of third-party access to the kernel (spoiler: yes, the access should be kept), the possibility to prevent BSOD or exploits, and the complexity of fixing vulnerable drivers. From code quality to specific driver designs, the subject of driver development will be covered with several examples, accessible to anyone.
Finally, the talk is going to discuss these security tools using drivers, used by everyone in cybersecurity but implemented with a serious lack of quality and dangerous features for some of them. In the end, WinPmem is just the tip of the iceberg of highly privileged security products that are not secure.