afb8bb46-1d13-407d-9866-1daa7c82ca63

echo_driver.sys

Description

Bad access controls in Inspect Element Ltd.'s echo_driver.sys allows attacker to gain arbitrary memory read and write, which allows for easy Privilege Escalation via Token Theft.

UUID: afb8bb46-1d13-407d-9866-1daa7c82ca63
Created: 2023-07-14
Author: Protocol & Zach
Acknowledgement: protocol | @WindowsKernel

Download

This download link contains the vulnerable driver!

Commands

sc.exe create echo_driver.sys binPath=C:\windows\temp\echo_driver.sys type=kernel &amp;&amp; sc.exe start echo_driver.sys

Use Case	Privileges	Operating System
Elevate privileges, arbitrary memory read/write	kernel	Windows 10/11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources

https://ioctl.fail/echo-ac-writeup/

https://github.com/kite03/echoac-poc/tree/main/PoC

Known Vulnerable Samples

Property	Value
Filename	echo_driver.sys
MD5	187ddca26d119573223cf0a32ba55a61
SHA1	a93197c8c1897a95c4fb0367d7451019ae9f3054
SHA256	ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9
Authentihash MD5	cad120d8ba6473b07a3b76a41921d720
Authentihash SHA1	678620a9cc9e7ffe179bc5cda0a2dd0597e231ee
Authentihash SHA256	92f9d73cec5ab3352c4b3cbf4574d13b2e506cba24cc74580e19e941063eaf7d
RichPEHeaderHash MD5	cc4824dfc6c671b058dc67ec8bf938b4
RichPEHeaderHash SHA1	c47436cdd195b3f6272869d73144fbd3771f8491
RichPEHeaderHash SHA256	431855c1601ceb0745917f8b160449568c3fc9049779c5e2a7613a61728afc6b
Publisher	Microsoft Windows Hardware Compatibility Publisher

Download

Certificates

Expand

Certificate 33000000433a68189e33902987000000000043

Field	Value
ToBeSigned (TBS) MD5	3d790bd5602e84a4aa8560133ced0a41
ToBeSigned (TBS) SHA1	909e31e3e3808ab55d508fc0ba47e0132a57d7ab
ToBeSigned (TBS) SHA256	ac1acbcba260f10270527c3762457c1b96818466df9da51dfec3b147c90db453
Subject	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher
ValidFrom	2020-12-15 22:25:28
ValidTo	2021-12-02 22:25:28
Signature	3a8e15af3660c47a1def4303906af38b6ca69186409b4f44ebe8106ece701f6e00e734fe1d0bb290d1496c3f17859e1f9ff1f31080dd8bfd2bb5013956c2f49ffe73916654f04c35b9df2fb27c55a71df3d8e1f25185d398abed244b42e27741c0b1c953c139c011b801f00e80ea992005a1305dd65bcb2032790b0d87636b75d2fb8f431546cd906ab0a55083a26d2649d822871b6aacd1b4d8c74ea2366903eeb318e7826db64e3a858d6377cf2f9a628f21d6ef65279603c18d25d365dd370cef1a45527deec589a331a221c909a8b0d2010d078970678c648d62168056e3b775233eac20e50cc039a85900749f627a419e8959fcf21efc89da76426107e43261ccdcaebad659b89abfdd5d1a78e9d438868b9ff58cac5176bddff8c8dd11008ed72ed249bb7d78af559b04561e6b44aae7846b103d2db8c0e31a5f661851f97acba0757b474c1caa49cf8eed86de15a4118743a418b6b415e7770265801ba51061b5d32125ed5ba1e27fe83ac795f9cc868949b14d59eb4f596763da9102f9e6ae8fe92de61d68af67a906e0be424f5c81dcecd4d190953a66384c3b5fe33f7b402a0934c2befd4a51b2f2850ef05e156fc4e1460eab2f67e3cbc999db761f57970ccafbc49040e999965f5306c1f5c90ce172d889a3aa63ec502a60020b2a7b4fff562b9dc5c50a8e06bc52f04ff0fe535591e2e6b7325239666152819a
SignatureAlgorithmOID	1.2.840.113549.1.1.11
IsCertificateAuthority	False
SerialNumber	33000000433a68189e33902987000000000043
Version	3

Certificate 330000000d690d5d7893d076df00000000000d

Field	Value
ToBeSigned (TBS) MD5	83f69422963f11c3c340b81712eef319
ToBeSigned (TBS) SHA1	0c5e5f24590b53bc291e28583acb78e5adc95601
ToBeSigned (TBS) SHA256	d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae
Subject	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014
ValidFrom	2014-10-15 20:31:27
ValidTo	2029-10-15 20:41:27
Signature	96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f
SignatureAlgorithmOID	1.2.840.113549.1.1.11
IsCertificateAuthority	True
SerialNumber	330000000d690d5d7893d076df00000000000d
Version	3

Imports

Expand

cng.sys
ntoskrnl.exe
WDFLDR.SYS

Imports

Expand

cng.sys
ntoskrnl.exe
WDFLDR.SYS

ImportedFunctions

Expand

BCryptVerifySignature
BCryptCreateHash
BCryptDestroyKey
BCryptFinishHash
BCryptDestroyHash
BCryptImportKeyPair
BCryptCloseAlgorithmProvider
BCryptGetProperty
BCryptHashData
BCryptOpenAlgorithmProvider
IoGetCurrentProcess
ObRegisterCallbacks
ObUnRegisterCallbacks
ObGetFilterVersion
PsGetProcessId
PsGetThreadProcessId
PsProcessType
PsThreadType
DbgPrint
ExAllocatePoolWithTag
IoDeleteDevice
ProbeForRead
ZwCreateFile
ZwQueryInformationFile
ZwReadFile
ZwClose
SeLocateProcessImageName
RtlGetVersion
IofCompleteRequest
ObReferenceObjectByHandle
ObfDereferenceObject
PsLookupProcessByProcessId
ObOpenObjectByPointer
ZwQueryVirtualMemory
MmCopyVirtualMemory
__C_specific_handler
ZwOpenProcess
ZwQuerySystemInformation
ZwQueryInformationProcess
IoDeleteSymbolicLink
RtlCopyUnicodeString
DbgPrintEx
IoCreateSymbolicLink
IoCreateDevice
RtlInitUnicodeString
ExFreePoolWithTag
WdfVersionUnbind
WdfVersionBindClass
WdfVersionUnbindClass
WdfVersionBind

ExportedFunctions

Expand

Signature

Expand

{
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "33000000433a68189e33902987000000000043",
      "Signature": "3a8e15af3660c47a1def4303906af38b6ca69186409b4f44ebe8106ece701f6e00e734fe1d0bb290d1496c3f17859e1f9ff1f31080dd8bfd2bb5013956c2f49ffe73916654f04c35b9df2fb27c55a71df3d8e1f25185d398abed244b42e27741c0b1c953c139c011b801f00e80ea992005a1305dd65bcb2032790b0d87636b75d2fb8f431546cd906ab0a55083a26d2649d822871b6aacd1b4d8c74ea2366903eeb318e7826db64e3a858d6377cf2f9a628f21d6ef65279603c18d25d365dd370cef1a45527deec589a331a221c909a8b0d2010d078970678c648d62168056e3b775233eac20e50cc039a85900749f627a419e8959fcf21efc89da76426107e43261ccdcaebad659b89abfdd5d1a78e9d438868b9ff58cac5176bddff8c8dd11008ed72ed249bb7d78af559b04561e6b44aae7846b103d2db8c0e31a5f661851f97acba0757b474c1caa49cf8eed86de15a4118743a418b6b415e7770265801ba51061b5d32125ed5ba1e27fe83ac795f9cc868949b14d59eb4f596763da9102f9e6ae8fe92de61d68af67a906e0be424f5c81dcecd4d190953a66384c3b5fe33f7b402a0934c2befd4a51b2f2850ef05e156fc4e1460eab2f67e3cbc999db761f57970ccafbc49040e999965f5306c1f5c90ce172d889a3aa63ec502a60020b2a7b4fff562b9dc5c50a8e06bc52f04ff0fe535591e2e6b7325239666152819a",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
      "TBS": {
        "MD5": "3d790bd5602e84a4aa8560133ced0a41",
        "SHA1": "909e31e3e3808ab55d508fc0ba47e0132a57d7ab",
        "SHA256": "ac1acbcba260f10270527c3762457c1b96818466df9da51dfec3b147c90db453",
        "SHA384": "c548f472f381df2da149c036e2f47be20293838eb23adce5e1b0ad1ba1fe8c33f688528452146c87dcb26070a2a23ced"
      },
      "ValidFrom": "2020-12-15 22:25:28",
      "ValidTo": "2021-12-02 22:25:28",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "330000000d690d5d7893d076df00000000000d",
      "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "TBS": {
        "MD5": "83f69422963f11c3c340b81712eef319",
        "SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
        "SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
        "SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
      },
      "ValidFrom": "2014-10-15 20:31:27",
      "ValidTo": "2029-10-15 20:41:27",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "SerialNumber": "33000000433a68189e33902987000000000043",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

source

last_updated: 2023-12-02