81a73e57-2e92-4d21-97d3-1c21eb4c3aea

LenovoDiagnosticsDriver.sys

Description

The aforementioned driver has been identified as vulnerable to CVE-2022-3699

UUID: 81a73e57-2e92-4d21-97d3-1c21eb4c3aea
Created: 2023-01-09
Author: Michael Haag
Acknowledgement: Mike Alfaro | alfarom256

This download link contains the vulnerable driver!

Commands

sc.exe create LenovoDiagnosticsDriver.sys binPath=C:\windows\temp\LenovoDiagnosticsDriver.sys type=kernel &amp;&amp; sc.exe start LenovoDiagnosticsDriver.sys

Use Case	Privileges	Operating System
Elevate privileges	kernel	Windows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules

https://nephosec.com/cve-2022-3699-lenovo-diagnostics-driver-eop-arbitrary-r-w/

https://github.com/alfarom256/CVE-2022-3699

https://support.lenovo.com/us/en/product_security/LEN-94532

CVE

CVE-2022-3699

Known Vulnerable Samples

Property	Value
Filename	LenovoDiagnosticsDriver.sys
Creation Timestamp	2022-01-28 10:59:24
MD5	b941c8364308990ee4cc6eadf7214e0f
SHA1	b89a8eef5aeae806af5ba212a8068845cafdab6f
SHA256	f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe
Authentihash MD5	56b6144e389ce3b1e2a0a96a954aa7d8
Authentihash SHA1	6d9543725aca0c9c8f403425952692ccc1d2d7f2
Authentihash SHA256	34e6a56c60746c51034b45a7b2a36617205b598d0bbcc695f92404605a0975d5
RichPEHeaderHash MD5	f9a028999bfd69ee65e86573d56d2de3
RichPEHeaderHash SHA1	ac40538efeecc7ae93b551aa2d861851a798b17f
RichPEHeaderHash SHA256	681234bfceb8f11e214c9d4fbec06523b80744dad37cbef0be64b84fc7dd4da1
Company	Lenovo Group Limited (R)
Description	Lenovo Diagnostics Driver for Windows 10 and later.
Product	Lenovo Diagnostics
OriginalFilename	LenovoDiagnosticsDriver.sys

Download

Certificates

Expand

Certificate 08ad40b260d29c4c9f5ecda9bd93aed9

Field	Value
ToBeSigned (TBS) MD5	5d8003a64dfa5a4d88365da1566038cb
ToBeSigned (TBS) SHA1	79465b56bc7ad55a37bdf633943da8bfc84db228
ToBeSigned (TBS) SHA256	84bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332
Subject	C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
ValidFrom	2021-04-29 00:00:00
ValidTo	2036-04-28 23:59:59
Signature	3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e
SignatureAlgorithmOID	1.2.840.113549.1.1.12
IsCertificateAuthority	True
SerialNumber	08ad40b260d29c4c9f5ecda9bd93aed9
Version	3

Certificate 01d4b02045832881e2d7530641135991

Field	Value
ToBeSigned (TBS) MD5	3452c838cdc0fad2580244b9efd5d8de
ToBeSigned (TBS) SHA1	f4d9f9525fa79caa80e5ef5b88ea4b07d6e272ad
ToBeSigned (TBS) SHA256	4d66a4b0e68dc05b77e33ff1c284de96b040b4a6b3fe69326bc6cc2477e70866
Subject	C=US, ST=North Carolina, L=Morrisville, O=Lenovo, OU=G14, CN=Lenovo
ValidFrom	2021-11-22 00:00:00
ValidTo	2022-03-30 23:59:59
Signature	640fc986f34aa41e35444a37b92461d4eed33b163b6e4f883d188628bbb07ee70df9a8839fdc34ff36d4622cef4a664c73711efaf6b03c7e5c83138199cdc1a7defb5a39cfe365578d2f7af63f2ceb9e745be37e3c2b8612419f7dd1b37232c42e8d63ed1cdab404a0033145c0590be269777ec6c3234a3ba42a3b225a168485eedd9dc9df15978a9aa884f5ff3fb2514cce184fec8c026426ffd20510a00ef203f521b75b994ab7fb14aec2610d7f873d20cd76e608157421a4ca786e0f2e202dda5ecc96680d2d7a4e43031538752be859691b1935de593356fa32fd1f631fed6c5aa475d92c60ff1047ace01d023642c96813e70f5f496942560e9f09b1a79ab47808dacfe1fd36cc957ef31536287b77f7d602b0dbf015e5f8a30299470569757f72bea7a1ee115f7d34cc29bc5d0f8d0080633370dcf5bce318d117831c8501e56f4aac5feace080c836f864b0c8e5a11178bd3b3c244915eeced7db59c6eb299163f566099e33ff606f45ed608dedbb055e19474b82b31269a61221b875eb36e16738c75190f5a14d0c3bfc7d3fff27d4313e9d3852db215295205f1fb3bb8b9d51f70b5222dddd7398deb6a947065d1b2ecd4eb91d84957b71728d2bbec08c0aec19a8fbb0aea3f7be228dfd87a1ead0d674205d1f9bce65b380395059b4d56c46b470a71562eb5aa2e163e7985e134d54b60e865df4d2229ab35efe7
SignatureAlgorithmOID	1.2.840.113549.1.1.11
IsCertificateAuthority	False
SerialNumber	01d4b02045832881e2d7530641135991
Version	3

Imports

Expand

ntoskrnl.exe
HAL.dll

Imported Functions

Expand

MmMapIoSpace
MmUnmapIoSpace
IofCompleteRequest
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
__C_specific_handler
MmGetSystemRoutineAddress
RtlInitUnicodeString
ExFreePoolWithTag
ZwClose
ZwSetSecurityObject
IoDeviceObjectType
IoCreateDevice
ObOpenObjectByPointer
RtlGetDaclSecurityDescriptor
RtlGetGroupSecurityDescriptor
ExAllocatePoolWithTag
RtlGetSaclSecurityDescriptor
SeCaptureSecurityDescriptor
_snwprintf
RtlLengthSecurityDescriptor
SeExports
RtlCreateSecurityDescriptor
_wcsnicmp
wcschr
RtlAbsoluteToSelfRelativeSD
RtlAddAccessAllowedAce
RtlLengthSid
IoIsWdmVersionAvailable
RtlSetDaclSecurityDescriptor
ZwOpenKey
ZwSetValueKey
ZwQueryValueKey
ZwCreateKey
RtlFreeUnicodeString
RtlGetOwnerSecurityDescriptor
DbgPrintEx
HalGetBusDataByOffset
HalSetBusDataByOffset

Exported Functions

Expand

Sections

Expand

.text
.rdata
.data
.pdata
PAGE
INIT
.rsrc
.reloc

Signature

Expand

{
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "08ad40b260d29c4c9f5ecda9bd93aed9",
      "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
      "TBS": {
        "MD5": "5d8003a64dfa5a4d88365da1566038cb",
        "SHA1": "79465b56bc7ad55a37bdf633943da8bfc84db228",
        "SHA256": "84bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332",
        "SHA384": "65b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e64"
      },
      "ValidFrom": "2021-04-29 00:00:00",
      "ValidTo": "2036-04-28 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "01d4b02045832881e2d7530641135991",
      "Signature": "640fc986f34aa41e35444a37b92461d4eed33b163b6e4f883d188628bbb07ee70df9a8839fdc34ff36d4622cef4a664c73711efaf6b03c7e5c83138199cdc1a7defb5a39cfe365578d2f7af63f2ceb9e745be37e3c2b8612419f7dd1b37232c42e8d63ed1cdab404a0033145c0590be269777ec6c3234a3ba42a3b225a168485eedd9dc9df15978a9aa884f5ff3fb2514cce184fec8c026426ffd20510a00ef203f521b75b994ab7fb14aec2610d7f873d20cd76e608157421a4ca786e0f2e202dda5ecc96680d2d7a4e43031538752be859691b1935de593356fa32fd1f631fed6c5aa475d92c60ff1047ace01d023642c96813e70f5f496942560e9f09b1a79ab47808dacfe1fd36cc957ef31536287b77f7d602b0dbf015e5f8a30299470569757f72bea7a1ee115f7d34cc29bc5d0f8d0080633370dcf5bce318d117831c8501e56f4aac5feace080c836f864b0c8e5a11178bd3b3c244915eeced7db59c6eb299163f566099e33ff606f45ed608dedbb055e19474b82b31269a61221b875eb36e16738c75190f5a14d0c3bfc7d3fff27d4313e9d3852db215295205f1fb3bb8b9d51f70b5222dddd7398deb6a947065d1b2ecd4eb91d84957b71728d2bbec08c0aec19a8fbb0aea3f7be228dfd87a1ead0d674205d1f9bce65b380395059b4d56c46b470a71562eb5aa2e163e7985e134d54b60e865df4d2229ab35efe7",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=North Carolina, L=Morrisville, O=Lenovo, OU=G14, CN=Lenovo",
      "TBS": {
        "MD5": "3452c838cdc0fad2580244b9efd5d8de",
        "SHA1": "f4d9f9525fa79caa80e5ef5b88ea4b07d6e272ad",
        "SHA256": "4d66a4b0e68dc05b77e33ff1c284de96b040b4a6b3fe69326bc6cc2477e70866",
        "SHA384": "fd4fbb32ae0c9b9d6796dd2028d09121a186975991e6008ab1dc57ebbef199ba873f6bc26bd710852ef16d4249856392"
      },
      "ValidFrom": "2021-11-22 00:00:00",
      "ValidTo": "2022-03-30 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
      "SerialNumber": "01d4b02045832881e2d7530641135991",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

source

last_updated: 2024-04-09