942f58d2-1300-4957-98a0-5f8d601bf55b

sepdrv3_1.sys :inline

Description

The Carbon Black Threat Analysis Unit (TAU) discovered 34 unique vulnerable drivers (237 file hashes) accepting firmware access. Six allow kernel memory access. All give full control of the devices to non-admin users. By exploiting the vulnerable drivers, an attacker without the system privilege may erase/alter firmware, and/or elevate privileges. As of the time of writing in October 2023, the filenames of the vulnerable drivers have not been made public until now.

  • UUID: 942f58d2-1300-4957-98a0-5f8d601bf55b
  • Created: 2023-11-02
  • Author: Takahiro Haruyama
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create sepdrv3_1sys binPath= C:\windows\temp\sepdrv3_1sys.sys type=kernel && sc.exe start sepdrv3_1sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html

  • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2010-12-09 20:32:49
    MD529b1ddc69e89b160cc3722e5e0738fd8
    SHA1c60cf6dea446e4a52c6b1cfc2a76e9aadd954dab
    SHA256b2bc7514201727d773c09a1cfcfae793fcdbad98024251ccb510df0c269b04e6
    Authentihash MD5bf5f82976c0c5c48cb5631bf6eda8e6c
    Authentihash SHA19d28ee1a0348c8fd0f90580fcd81a6338e372eac
    Authentihash SHA256abb507455dd1e23e91753f17d6d7a8a5d6572e288f25eb75e4cbdd2e60adae88
    RichPEHeaderHash MD5239140411c59e5ec01ebed2b1897723f
    RichPEHeaderHash SHA11ae9ec22ef54915ddf3f28aa92adcbf0ffcfb6e6
    RichPEHeaderHash SHA256dff73a2897cfc734bf171b53ff21ee3e77ce0d3325eee1d533b16e049c1a9cbd

    Download

    Certificates

    Expand
    Certificate 05b0ff
    FieldValue
    ToBeSigned (TBS) MD5f532f9999c3f7a078f0f973c726a2a04
    ToBeSigned (TBS) SHA1f56832bc9412c372f9a8744591258f8bb11af2d8
    ToBeSigned (TBS) SHA2564c75ce4be51027c4e1f7422775c3ae79d5195ffc0ff7f379123a603ccb702c60
    SubjectC=US, O=Intel Corporation, CN=Intel External Basic Policy CA
    ValidFrom2006-02-16 18:01:30
    ValidTo2016-02-19 18:01:30
    Signature131038ada454a5489545b02d3772c09f9ed8ef8f0bfb9096d2b6177951cab3df067ebdb4e9083f84a00c939fb31ca86c8acf2deef99012f0f83a26d773810e9fc4319259d4282541f555f1ca3d993dda64c8d21864223209092d1de331fafdd347d764a8f95dea8227e24fd2612124611d54263e145964b098d5f3a7c3aead50
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber05b0ff
    Version3
    Certificate 3825d7faf861af9ef490e726b5d65ad5
    FieldValue
    ToBeSigned (TBS) MD5d6c7684e9aaa508cf268335f83afe040
    ToBeSigned (TBS) SHA118066d20ad92409c567cdfde745279ff71c75226
    ToBeSigned (TBS) SHA256a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff
    SubjectC=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2
    ValidFrom2007-06-15 00:00:00
    ValidTo2012-06-14 23:59:59
    Signature50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber3825d7faf861af9ef490e726b5d65ad5
    Version3
    Certificate 47bf1995df8d524643f7db6d480d31a4
    FieldValue
    ToBeSigned (TBS) MD5518d2ea8a21e879c942d504824ac211c
    ToBeSigned (TBS) SHA121ce87d827077e61abddf2beba69fde5432ea031
    ToBeSigned (TBS) SHA2561ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7
    SubjectC=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA
    ValidFrom2003-12-04 00:00:00
    ValidTo2013-12-03 23:59:59
    Signature4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber47bf1995df8d524643f7db6d480d31a4
    Version3
    Certificate 610bdc8f00000000001a
    FieldValue
    ToBeSigned (TBS) MD56e11ed171e9a07e607b8ca65bf0e8858
    ToBeSigned (TBS) SHA16d329a72420f76868584957854cdc45172e9f902
    ToBeSigned (TBS) SHA25675efb8656a18ba5dacc596757bfb0fa11f0d3d81fd5f8cf9bb8975ced87e7b1b
    SubjectC=US, O=Equifax, OU=Equifax Secure Certificate Authority
    ValidFrom2006-05-23 17:01:15
    ValidTo2016-05-23 17:11:15
    Signature87a40f6b55916248ff54811ccf5db6c5a514aa671df485f6860d38b31c8d22ce7c867946fb71e16114d0ed4e46a48bca64654094f92ad7870ca9b7bedcc40bbd09c106eb9530841b9d8de7bc70c6f86539c4e5c4e65c8fcda130baef065e555290edd8587f15142ecc21a593dab8508d805e6e22a70fde8093add71d24b02aa2f4f20b98750131cc69bc359b3d13662f21bde54ec3639cc8518d59f5b600937ef10c35b0f4180dbfa7bdb2aae16b9f3ce6bb41b5d904e7c8a63abf8a5bdcaa9a3cd2c8dfcb1774163d78470b4c108e406616a0f300ede034998af0f9460ff27fbf202c972616d59e81da94a6dc61c8f18e092d4e32d03df682267d91d7a6c67bc1311d210ed4a342c1b4dfc0446b4f2aeebb29d62787b0a450ae1a9ab5f996f4ccabe52b3df166e2d5e1c3f0c687b659536638026e6194df1563aa415052f9bb64dc95e05b6c2aacfed6e603c21ff65557fe7e813fcb5a0bc1029cac84e47cd3f4c25a17c312706009ec82e5eccdd0b2106d69868c8da60e0416c57164ebd95bb8b08cfc32427e60846f655b7244272b846181f461d50fd51dbc05a27a5f937f26d1c8b3afa0190723e43e225d32d14a0fcee7b72a5c7b6e1c57126864e8337e8c501340a487b0d3a69b1eacbd3d7812bc52af09e0bab0508e5c81f98383af1482f50a6d035721bb9ac32e66fb04215b0a120fc1c907d63cecabf9a52f90883a
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber610bdc8f00000000001a
    Version3
    Certificate 1123134f000000003467
    FieldValue
    ToBeSigned (TBS) MD59812d51dd7191df33ae0d79e41cf1029
    ToBeSigned (TBS) SHA1fb7d38a917d7e96f2b1644b3f6190bb81c4ff95d
    ToBeSigned (TBS) SHA2569ed95f0593fe84359bb039001cc711363351d94b77f91478549394e047d34041
    SubjectO=Intel Corporation, CN=Intel(R) Software Products
    ValidFrom2009-02-17 16:45:58
    ValidTo2012-02-17 16:45:58
    Signature953c5743cfa5e9f3843434b86050f0027fe0dfda57a913d32351fccc86a39c97ee49e7a4494fe635b0f2758dc2f6fb3f56896ba9357fc95bbec618e04b63be2d63a83ccabe41cab741325227b2400a63630e7fb0cb2104d84fea910cca3d71d2911524ea911057c5e6a6569d4111fc48beebb1dc56be4ba16eb4f0e9fdb27ae047d5dec92826e641733631c7f27877e5b1c67e341ab8e5489f61f6c69aa2d9a60f51568581d5fe0aece485eba1de6e0659eac6ebaab8f2333d1532e3ba3ed148631d26afb5ad1bf6ec0b19c6488ae3bdd89a80a87f759d1940f844676943dc77c9e08c75fd3d856f3946cd7877d5258896347731f5accc6093d5b3ac1c6df484
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber1123134f000000003467
    Version3
    Certificate 612ca5fe000000000006
    FieldValue
    ToBeSigned (TBS) MD5d57bb4703bfadc967106de63a7eac3ab
    ToBeSigned (TBS) SHA1fbf834ee955bff2780dc7208e9bdffd3998864f8
    ToBeSigned (TBS) SHA256616b1fe817378e8d8939abd5a998ecd3bee921ffb7189081357d2f2c688c76c3
    SubjectC=US, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B
    ValidFrom2006-03-22 22:22:47
    ValidTo2012-03-22 22:32:47
    Signature408965872fa4f6d505c5643c9a508c9ed2387b7f8d065ea8bbe51a3925ba513ad95906ac91abaa0f3001ba220c5de4177d4ccb4d90ebe0ba49c59cad72d7b51d3212ce97e16e22713e1405a4f34dda456dbb3ac5fea2dd0a98f8a82a76772f52b9a9c412deda7aa2bec0699cddd30d2a162b66e147cff679d35d0b58f57339409d3b20a143137b653a56a62a18db88957714a8a00957ac3d94b1f61d86ed57b88ab11fcfdd79564b36e802471996a010737133d7b19207a6e0436c1beb74bd8aa7f71ed8b2a27a7e66ce4b2af38f36f70987847f213948bf9fdd5c7db8cb100f26fc2d508305742dc4b1079c51013eb452485f643e6ca36afc7852a15d3c4c82
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber612ca5fe000000000006
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • KeRemoveQueueDpc
    • RtlAnsiStringToUnicodeString
    • KeGetCurrentProcessorNumberEx
    • RtlInitUnicodeString
    • IoDeleteDevice
    • KeInitializeEvent
    • RtlInitString
    • KeFlushQueuedDpcs
    • KeQueryActiveProcessorCountEx
    • RtlAppendUnicodeStringToString
    • IofCompleteRequest
    • IoCreateSymbolicLink
    • PsGetCurrentThreadId
    • PsGetCurrentProcessId
    • RtlCopyUnicodeString
    • IoCreateDevice
    • DbgPrint
    • MmUnmapIoSpace
    • MmMapIoSpace
    • ZwQueryInformationProcess
    • ExAllocatePoolWithTag
    • KeClearEvent
    • KeSetImportanceDpc
    • KeSetTargetProcessorDpcEx
    • KeGetProcessorNumberFromIndex
    • KeSetEvent
    • KeInitializeDpc
    • KeInsertQueueDpc
    • KeWaitForSingleObject
    • KeResetEvent
    • KeSetPriorityThread
    • ZwCreateFile
    • PsCreateSystemThread
    • PsTerminateSystemThread
    • _vsnprintf
    • ZwClose
    • ZwWriteFile
    • VerSetConditionMask
    • RtlVerifyVersionInfo
    • HalDispatchTable
    • KeInitializeTimer
    • KeSetTimerEx
    • KeCancelTimer
    • MmGetPhysicalAddress
    • PsSetLoadImageNotifyRoutine
    • PsSetCreateProcessNotifyRoutine
    • PsRemoveLoadImageNotifyRoutine
    • KeBugCheckEx
    • ExFreePoolWithTag
    • IoDeleteSymbolicLink
    • __C_specific_handler
    • KeQueryPerformanceCounter

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .reloc

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "05b0ff",
          "Signature": "131038ada454a5489545b02d3772c09f9ed8ef8f0bfb9096d2b6177951cab3df067ebdb4e9083f84a00c939fb31ca86c8acf2deef99012f0f83a26d773810e9fc4319259d4282541f555f1ca3d993dda64c8d21864223209092d1de331fafdd347d764a8f95dea8227e24fd2612124611d54263e145964b098d5f3a7c3aead50",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA",
          "TBS": {
            "MD5": "f532f9999c3f7a078f0f973c726a2a04",
            "SHA1": "f56832bc9412c372f9a8744591258f8bb11af2d8",
            "SHA256": "4c75ce4be51027c4e1f7422775c3ae79d5195ffc0ff7f379123a603ccb702c60",
            "SHA384": "084772ceb63ae50ebd8125ba9eba0c9b38d0e94a806f58513f71f1d5489f52489b0dfbb8c67603a425a603451b3b1719"
          },
          "ValidFrom": "2006-02-16 18:01:30",
          "ValidTo": "2016-02-19 18:01:30",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "3825d7faf861af9ef490e726b5d65ad5",
          "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2",
          "TBS": {
            "MD5": "d6c7684e9aaa508cf268335f83afe040",
            "SHA1": "18066d20ad92409c567cdfde745279ff71c75226",
            "SHA256": "a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff",
            "SHA384": "35c249d6ad0261a6229b2a727067ac6ba32a5d24b30b9249051f748c7735fbe2ec2ef26a702c50df1790fbe32a65aee7"
          },
          "ValidFrom": "2007-06-15 00:00:00",
          "ValidTo": "2012-06-14 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "47bf1995df8d524643f7db6d480d31a4",
          "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA",
          "TBS": {
            "MD5": "518d2ea8a21e879c942d504824ac211c",
            "SHA1": "21ce87d827077e61abddf2beba69fde5432ea031",
            "SHA256": "1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7",
            "SHA384": "53e346bbde23779a5d116cc9d86fdd71c97b1f1b343439f8a11aa1d3c87af63864bb8488a5aeb2d0c26a6a1e0b15f03f"
          },
          "ValidFrom": "2003-12-04 00:00:00",
          "ValidTo": "2013-12-03 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "610bdc8f00000000001a",
          "Signature": "87a40f6b55916248ff54811ccf5db6c5a514aa671df485f6860d38b31c8d22ce7c867946fb71e16114d0ed4e46a48bca64654094f92ad7870ca9b7bedcc40bbd09c106eb9530841b9d8de7bc70c6f86539c4e5c4e65c8fcda130baef065e555290edd8587f15142ecc21a593dab8508d805e6e22a70fde8093add71d24b02aa2f4f20b98750131cc69bc359b3d13662f21bde54ec3639cc8518d59f5b600937ef10c35b0f4180dbfa7bdb2aae16b9f3ce6bb41b5d904e7c8a63abf8a5bdcaa9a3cd2c8dfcb1774163d78470b4c108e406616a0f300ede034998af0f9460ff27fbf202c972616d59e81da94a6dc61c8f18e092d4e32d03df682267d91d7a6c67bc1311d210ed4a342c1b4dfc0446b4f2aeebb29d62787b0a450ae1a9ab5f996f4ccabe52b3df166e2d5e1c3f0c687b659536638026e6194df1563aa415052f9bb64dc95e05b6c2aacfed6e603c21ff65557fe7e813fcb5a0bc1029cac84e47cd3f4c25a17c312706009ec82e5eccdd0b2106d69868c8da60e0416c57164ebd95bb8b08cfc32427e60846f655b7244272b846181f461d50fd51dbc05a27a5f937f26d1c8b3afa0190723e43e225d32d14a0fcee7b72a5c7b6e1c57126864e8337e8c501340a487b0d3a69b1eacbd3d7812bc52af09e0bab0508e5c81f98383af1482f50a6d035721bb9ac32e66fb04215b0a120fc1c907d63cecabf9a52f90883a",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=Equifax, OU=Equifax Secure Certificate Authority",
          "TBS": {
            "MD5": "6e11ed171e9a07e607b8ca65bf0e8858",
            "SHA1": "6d329a72420f76868584957854cdc45172e9f902",
            "SHA256": "75efb8656a18ba5dacc596757bfb0fa11f0d3d81fd5f8cf9bb8975ced87e7b1b",
            "SHA384": "c41060ed797c77588692c0b3e36e19cca2d48c354863437f3df76009e25c916e8d2c7e17b297fbc59da085e98d070093"
          },
          "ValidFrom": "2006-05-23 17:01:15",
          "ValidTo": "2016-05-23 17:11:15",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "1123134f000000003467",
          "Signature": "953c5743cfa5e9f3843434b86050f0027fe0dfda57a913d32351fccc86a39c97ee49e7a4494fe635b0f2758dc2f6fb3f56896ba9357fc95bbec618e04b63be2d63a83ccabe41cab741325227b2400a63630e7fb0cb2104d84fea910cca3d71d2911524ea911057c5e6a6569d4111fc48beebb1dc56be4ba16eb4f0e9fdb27ae047d5dec92826e641733631c7f27877e5b1c67e341ab8e5489f61f6c69aa2d9a60f51568581d5fe0aece485eba1de6e0659eac6ebaab8f2333d1532e3ba3ed148631d26afb5ad1bf6ec0b19c6488ae3bdd89a80a87f759d1940f844676943dc77c9e08c75fd3d856f3946cd7877d5258896347731f5accc6093d5b3ac1c6df484",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "O=Intel Corporation, CN=Intel(R) Software Products",
          "TBS": {
            "MD5": "9812d51dd7191df33ae0d79e41cf1029",
            "SHA1": "fb7d38a917d7e96f2b1644b3f6190bb81c4ff95d",
            "SHA256": "9ed95f0593fe84359bb039001cc711363351d94b77f91478549394e047d34041",
            "SHA384": "96e69170aa75f30bee0fea80b6119faec6880219ce1e5bbf5194cab5d373225542681651840b07ba057056f3112a8666"
          },
          "ValidFrom": "2009-02-17 16:45:58",
          "ValidTo": "2012-02-17 16:45:58",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "612ca5fe000000000006",
          "Signature": "408965872fa4f6d505c5643c9a508c9ed2387b7f8d065ea8bbe51a3925ba513ad95906ac91abaa0f3001ba220c5de4177d4ccb4d90ebe0ba49c59cad72d7b51d3212ce97e16e22713e1405a4f34dda456dbb3ac5fea2dd0a98f8a82a76772f52b9a9c412deda7aa2bec0699cddd30d2a162b66e147cff679d35d0b58f57339409d3b20a143137b653a56a62a18db88957714a8a00957ac3d94b1f61d86ed57b88ab11fcfdd79564b36e802471996a010737133d7b19207a6e0436c1beb74bd8aa7f71ed8b2a27a7e66ce4b2af38f36f70987847f213948bf9fdd5c7db8cb100f26fc2d508305742dc4b1079c51013eb452485f643e6ca36afc7852a15d3c4c82",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B",
          "TBS": {
            "MD5": "d57bb4703bfadc967106de63a7eac3ab",
            "SHA1": "fbf834ee955bff2780dc7208e9bdffd3998864f8",
            "SHA256": "616b1fe817378e8d8939abd5a998ecd3bee921ffb7189081357d2f2c688c76c3",
            "SHA384": "6ab99b201bd5eaaa6c90aa7bd06e9f6de107bd494ef973bfd01ce31fd4abea81c347640ebdd206acad483bd9c5fe5562"
          },
          "ValidFrom": "2006-03-22 22:22:47",
          "ValidTo": "2012-03-22 22:32:47",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "C=US, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B",
          "SerialNumber": "1123134f000000003467",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2023-12-22