837ad058-65f4-4b75-8f21-b842e48db8a5

nvaudio.sys :inline

Description

The Carbon Black Threat Analysis Unit (TAU) discovered 34 unique vulnerable drivers (237 file hashes) accepting firmware access. Six allow kernel memory access. All give full control of the devices to non-admin users. By exploiting the vulnerable drivers, an attacker without the system privilege may erase/alter firmware, and/or elevate privileges. As of the time of writing in October 2023, the filenames of the vulnerable drivers have not been made public until now.

  • UUID: 837ad058-65f4-4b75-8f21-b842e48db8a5
  • Created: 2023-11-02
  • Author: Takahiro Haruyama
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create nvaudiosys binPath= C:\windows\temp\nvaudiosys.sys type=kernel && sc.exe start nvaudiosys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2010-06-24 09:29:58
    MD5b2600502a5b962b8cdfac2ead24b17b4
    SHA1bda102afbc60f3f3c5bcbd5390ffbbbb89170b9c
    SHA256b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f
    Authentihash MD58b46a9553a2d586084c114be70b5367f
    Authentihash SHA10fb1d0ef14ab73fcb4c62043859064cc5f9f88c2
    Authentihash SHA2566b3196a346973837242d92f3a0ff7bdc2485075d51de0b53650e4ef7348c7a83
    RichPEHeaderHash MD5467ab399e8e2dbd4eadb35a620251e79
    RichPEHeaderHash SHA10a8aa46f42c40afd85a5efd219c4c2e8af6f95f9
    RichPEHeaderHash SHA256107c7240faa51c5bf254f4f1adeefb93f49fa233a36c38cb5406a5c3a1cdbabe
    CompanyNVidia Corp.
    DescriptionNVidia System Utility Driver
    ProductNVidia System Utility Driver
    OriginalFilenamenvoclock.sys

    Download

    Certificates

    Expand
    Certificate 3825d7faf861af9ef490e726b5d65ad5
    FieldValue
    ToBeSigned (TBS) MD5d6c7684e9aaa508cf268335f83afe040
    ToBeSigned (TBS) SHA118066d20ad92409c567cdfde745279ff71c75226
    ToBeSigned (TBS) SHA256a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff
    SubjectC=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2
    ValidFrom2007-06-15 00:00:00
    ValidTo2012-06-14 23:59:59
    Signature50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber3825d7faf861af9ef490e726b5d65ad5
    Version3
    Certificate 47bf1995df8d524643f7db6d480d31a4
    FieldValue
    ToBeSigned (TBS) MD5518d2ea8a21e879c942d504824ac211c
    ToBeSigned (TBS) SHA121ce87d827077e61abddf2beba69fde5432ea031
    ToBeSigned (TBS) SHA2561ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7
    SubjectC=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA
    ValidFrom2003-12-04 00:00:00
    ValidTo2013-12-03 23:59:59
    Signature4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber47bf1995df8d524643f7db6d480d31a4
    Version3
    Certificate 655226e1b22e18e1590f2985ac22e75c
    FieldValue
    ToBeSigned (TBS) MD5650704c342850095f3288eaf791147d4
    ToBeSigned (TBS) SHA14cdc38c800761463749c3cbd94a12f32e49877bf
    ToBeSigned (TBS) SHA25607b8f662558ec85b71b43a79c6e94698144f4ced2308af21e7ba1e5d461da214
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA
    ValidFrom2009-05-21 00:00:00
    ValidTo2019-05-20 23:59:59
    Signature8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber655226e1b22e18e1590f2985ac22e75c
    Version3
    Certificate 610c120600000000001b
    FieldValue
    ToBeSigned (TBS) MD553c41bc1164e09e0cd1617a5bf913efd
    ToBeSigned (TBS) SHA193c03aac8951d494ecd5696b1c08658541b18727
    ToBeSigned (TBS) SHA25640bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b
    SubjectC=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
    ValidFrom2006-05-23 17:01:29
    ValidTo2016-05-23 17:11:29
    Signature01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber610c120600000000001b
    Version3
    Certificate 534abed0be56d9840dd12ddb84f8b031
    FieldValue
    ToBeSigned (TBS) MD54914c1d2c944d48a9636059155440df8
    ToBeSigned (TBS) SHA10337264fca5a8d774786b5b275e03ab42edb11ae
    ToBeSigned (TBS) SHA2568833131f04e02297c80b986ec7e7793e194fb144470dc36cc57a376487c2750b
    SubjectC=US, ST=California, L=Santa Clara, O=NVIDIA Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software, CN=NVIDIA Corporation
    ValidFrom2009-07-31 00:00:00
    ValidTo2011-09-01 23:59:59
    Signature637b2f21e7ca2d9c511e9d61685062a36b1fa997fd860d4ebad28445116b417cef4a1bd7dfeb3a0aa4de2e23eae4c7f3abf12e823e3f4aa43e11df3c5bc1822d42125ae4c85c5b1de854950abdf7c1c1dce54186c2294bee017fdacfb123b13d8b1fce69fd7f1f40a112a4b8ca5e17a54251afae7b60f5e5e75cc20cc86bb0578c8478d21c7293af4613094ceff5ead14b0933572693afa4157fbb2ab13cb7a8d44d99fff11be3c0813bbb421ee7a0ed6e6da8f0d0ba915af1db2c9bd63d1bf371ddad6002debf35d03c124253aa9f4b06e5e448a075ef4d084b8061724d7263d19c48b28d916c8a582b5841a161e18d48d6c9618b8100f4194ca648a2fc656b
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber534abed0be56d9840dd12ddb84f8b031
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • ExAllocatePoolWithTag
    • DbgPrint
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • RtlInitUnicodeString
    • ExFreePoolWithTag
    • MmUnmapIoSpace
    • IoFreeMdl
    • MmUnmapLockedPages
    • PoCallDriver
    • IofCompleteRequest
    • PoStartNextPowerIrp
    • KeSetSystemAffinityThread
    • KeQueryActiveProcessors
    • KeDelayExecutionThread
    • MmMapIoSpace
    • __C_specific_handler
    • ObfDereferenceObject
    • KeSetEvent
    • ObReferenceObjectByHandle
    • ExEventObjectType
    • MmGetPhysicalAddress
    • MmMapLockedPages
    • MmBuildMdlForNonPagedPool
    • IoAllocateMdl
    • KeWaitForSingleObject
    • IofCallDriver
    • IoBuildSynchronousFsdRequest
    • KeInitializeEvent
    • IoGetDeviceObjectPointer
    • IoGetDeviceInterfaces
    • IoCreateSymbolicLink
    • IoCreateDevice

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "3825d7faf861af9ef490e726b5d65ad5",
      "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2",
      "TBS": {
        "MD5": "d6c7684e9aaa508cf268335f83afe040",
        "SHA1": "18066d20ad92409c567cdfde745279ff71c75226",
        "SHA256": "a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff",
        "SHA384": "35c249d6ad0261a6229b2a727067ac6ba32a5d24b30b9249051f748c7735fbe2ec2ef26a702c50df1790fbe32a65aee7"
      },
      "ValidFrom": "2007-06-15 00:00:00",
      "ValidTo": "2012-06-14 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "47bf1995df8d524643f7db6d480d31a4",
      "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA",
      "TBS": {
        "MD5": "518d2ea8a21e879c942d504824ac211c",
        "SHA1": "21ce87d827077e61abddf2beba69fde5432ea031",
        "SHA256": "1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7",
        "SHA384": "53e346bbde23779a5d116cc9d86fdd71c97b1f1b343439f8a11aa1d3c87af63864bb8488a5aeb2d0c26a6a1e0b15f03f"
      },
      "ValidFrom": "2003-12-04 00:00:00",
      "ValidTo": "2013-12-03 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "655226e1b22e18e1590f2985ac22e75c",
      "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA",
      "TBS": {
        "MD5": "650704c342850095f3288eaf791147d4",
        "SHA1": "4cdc38c800761463749c3cbd94a12f32e49877bf",
        "SHA256": "07b8f662558ec85b71b43a79c6e94698144f4ced2308af21e7ba1e5d461da214",
        "SHA384": "2a271d052213438467d09d60eaa4010c8642fff3eb0070e0cf9969428713c8fdc066b90996d594dd3136f5bd0af5a22a"
      },
      "ValidFrom": "2009-05-21 00:00:00",
      "ValidTo": "2019-05-20 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "610c120600000000001b",
      "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority",
      "TBS": {
        "MD5": "53c41bc1164e09e0cd1617a5bf913efd",
        "SHA1": "93c03aac8951d494ecd5696b1c08658541b18727",
        "SHA256": "40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b",
        "SHA384": "f51d4e75ba638f7314cd59b8d6d45f3b34d35ce6986e9d205cd6f333e8e8d8e9c91f636e6bc84731b6661673f40963d8"
      },
      "ValidFrom": "2006-05-23 17:01:29",
      "ValidTo": "2016-05-23 17:11:29",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "534abed0be56d9840dd12ddb84f8b031",
      "Signature": "637b2f21e7ca2d9c511e9d61685062a36b1fa997fd860d4ebad28445116b417cef4a1bd7dfeb3a0aa4de2e23eae4c7f3abf12e823e3f4aa43e11df3c5bc1822d42125ae4c85c5b1de854950abdf7c1c1dce54186c2294bee017fdacfb123b13d8b1fce69fd7f1f40a112a4b8ca5e17a54251afae7b60f5e5e75cc20cc86bb0578c8478d21c7293af4613094ceff5ead14b0933572693afa4157fbb2ab13cb7a8d44d99fff11be3c0813bbb421ee7a0ed6e6da8f0d0ba915af1db2c9bd63d1bf371ddad6002debf35d03c124253aa9f4b06e5e448a075ef4d084b8061724d7263d19c48b28d916c8a582b5841a161e18d48d6c9618b8100f4194ca648a2fc656b",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, ST=California, L=Santa Clara, O=NVIDIA Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software, CN=NVIDIA Corporation",
      "TBS": {
        "MD5": "4914c1d2c944d48a9636059155440df8",
        "SHA1": "0337264fca5a8d774786b5b275e03ab42edb11ae",
        "SHA256": "8833131f04e02297c80b986ec7e7793e194fb144470dc36cc57a376487c2750b",
        "SHA384": "8450d31af22887ac50415c01d88f7eb6081b7044ab8f35ac0b63e09828786258e73fed98f37c99df6d5472b6a34f6db3"
      },
      "ValidFrom": "2009-07-31 00:00:00",
      "ValidTo": "2011-09-01 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA",
      "SerialNumber": "534abed0be56d9840dd12ddb84f8b031",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09