bb808089-5857-4df2-8998-753a7106cb44

DBUtilDrv2.sys :inline :inline

Description

Dell DBUtilDrv2.sys versions 2.5, 2.6, and 2.7 all contain a write-what-where condition allowing kernel memory read/write. Dell released v2.7 as a remediation for CVE-2021-36276 but the fix was incomplete. Rapid7 confirmed v2.7 retains the kernel memory primitive and published the dellicious PoC and a Metasploit module (post/windows/manage/dell_memory_protect) that works against both v2.5 and v2.7. Dell categorized the v2.7 issue as a weakness rather than a vulnerability, stating it requires admin privileges.

  • UUID: bb808089-5857-4df2-8998-753a7106cb44
  • Created: 2023-01-09
  • Author: Michael Haag

Download

This download link contains the vulnerable driver!

Block DBUtilDrv2.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create DBUtilDrv2.sys binPath=C:\windows\temp\DBUtilDrv2.sys type=kernel && sc.exe start DBUtilDrv2.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/jbaines-r7/dellicious
  • https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
  • https://www.bleepingcomputer.com/news/security/dell-driver-fix-still-allows-windows-kernel-level-attacks/
  • https://www.rapid7.com/db/modules/post/windows/manage/dell_memory_protect/

    • Known Vulnerable Samples

    PropertyValue
    FilenameDBUtilDrv2.sys
    Creation Timestamp2019-11-19 13:14:20
    MD5dacb62578b3ea191ea37486d15f4f83c
    SHA190a76945fd2fa45fab2b7bcfdaf6563595f94891
    SHA2562e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8
    Authentihash MD53736439958e5533142648f0d278fe7df
    Authentihash SHA16bc2ab0f03d7a58685a165b519e8fee6937526a6
    Authentihash SHA256d7c683ef033ac2dc4dfa0dc61f39931f91c0e8fd19e613f664cb03e14112ef6e
    RichPEHeaderHash MD57f1debacbafd3f259d7a213425c71b5f
    RichPEHeaderHash SHA19f5421410b697087e15bde4d688b7f33370f386f
    RichPEHeaderHash SHA256cefbbb88c4a69bad4c4a1698a8713d367f533be903326056cfa6fdbf4303e736

    Download

    Certificates

    Expand
    Certificate 33000000857f83dc2a6ca979b8000000000085
    FieldValue
    ToBeSigned (TBS) MD585e8c40624a19ac2076dd91f49d8fb53
    ToBeSigned (TBS) SHA1621756d2a4e10231e34677a3c0f2a8d1fb0fb7ca
    ToBeSigned (TBS) SHA256442ba2fb3fc8ab1b1b3c71a45f6ea08ce00cea7eae124ef915d4c17622eb336a
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher
    ValidFrom2019-06-05 18:06:32
    ValidTo2020-06-03 18:06:32
    Signature11f64665e99ee9a3212a8317075cf2122256a6cd5452564366da4b3e890c7a94b167d27a0cb1e962de146f371429f531349fc359cccece5f32fa84cd25231f892e44c4676b5ff4008ce6b3f3d9a2690a956a2a6a9e982ba8ebd4256971437156136a25b2e5184e11550aecb83f5ec8ae5467e866d6bbf44b9e8642c8bd5e316a4a494f676aa15eefad41893dd0a7187c881fa235b45f1a0696a8ad2d5c1531eed442d7281290b84f976f9ca241027378c241157a326739b2e8305adbfcef5005f5ccec402c1ab03d6e28c36987ae0d07cd12e41a348098d846f57c3225dbfed0c1b809ad311770854d368d150ee7767676c39a3d148f05cf7c2dcea5f1f7c6f2
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber33000000857f83dc2a6ca979b8000000000085
    Version3
    Certificate 610baac1000000000009
    FieldValue
    ToBeSigned (TBS) MD5a569061297e8e824767dbc3184a69bea
    ToBeSigned (TBS) SHA1adbb26a587a8f44b4fccaecb306f980d1c55a150
    ToBeSigned (TBS) SHA256cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012
    ValidFrom2012-04-18 23:48:38
    ValidTo2027-04-18 23:58:38
    Signature5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber610baac1000000000009
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • WppRecorder.sys
    • WDFLDR.SYS

    Imported Functions

    Expand
    • MmGetSystemRoutineAddress
    • MmFreeContiguousMemorySpecifyCache
    • MmAllocateContiguousMemorySpecifyCache
    • MmUnmapIoSpace
    • MmMapIoSpace
    • MmGetPhysicalAddress
    • RtlCopyUnicodeString
    • KeSetPriorityThread
    • KeInsertQueueDpc
    • IoWMIRegistrationControl
    • RtlInitUnicodeString
    • imp_WppRecorderReplay
    • WppAutoLogStop
    • WppAutoLogStart
    • WppAutoLogTrace
    • WdfVersionUnbindClass
    • WdfVersionBindClass
    • WdfVersionUnbind
    • WdfVersionBind

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "33000000857f83dc2a6ca979b8000000000085",
      "Signature": "11f64665e99ee9a3212a8317075cf2122256a6cd5452564366da4b3e890c7a94b167d27a0cb1e962de146f371429f531349fc359cccece5f32fa84cd25231f892e44c4676b5ff4008ce6b3f3d9a2690a956a2a6a9e982ba8ebd4256971437156136a25b2e5184e11550aecb83f5ec8ae5467e866d6bbf44b9e8642c8bd5e316a4a494f676aa15eefad41893dd0a7187c881fa235b45f1a0696a8ad2d5c1531eed442d7281290b84f976f9ca241027378c241157a326739b2e8305adbfcef5005f5ccec402c1ab03d6e28c36987ae0d07cd12e41a348098d846f57c3225dbfed0c1b809ad311770854d368d150ee7767676c39a3d148f05cf7c2dcea5f1f7c6f2",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
      "TBS": {
        "MD5": "85e8c40624a19ac2076dd91f49d8fb53",
        "SHA1": "621756d2a4e10231e34677a3c0f2a8d1fb0fb7ca",
        "SHA256": "442ba2fb3fc8ab1b1b3c71a45f6ea08ce00cea7eae124ef915d4c17622eb336a",
        "SHA384": "19b80fb83482cdb42c94c2eabac29e4db7777988905aab348bd7ed62e325d2ea1f4c80df0d7275abcb2b67585cfc7c36"
      },
      "ValidFrom": "2019-06-05 18:06:32",
      "ValidTo": "2020-06-03 18:06:32",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "610baac1000000000009",
      "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012",
      "TBS": {
        "MD5": "a569061297e8e824767dbc3184a69bea",
        "SHA1": "adbb26a587a8f44b4fccaecb306f980d1c55a150",
        "SHA256": "cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46",
        "SHA384": "e947cac936803f5683196e4ff1b259096073395d0b908522ddce90d57597c9f7b57f7ddcdbe021ba863d843c340da8ba"
      },
      "ValidFrom": "2012-04-18 23:48:38",
      "ValidTo": "2027-04-18 23:58:38",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012",
      "SerialNumber": "33000000857f83dc2a6ca979b8000000000085",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}
    PropertyValue
    FilenameDBUtilDrv2.sys
    Creation Timestamp2021-05-06 19:20:18
    MD5d104621c93213942b7b43d65b5d8d33e
    SHA1b03b1996a40bfea72e4584b82f6b845c503a9748
    SHA25671fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009
    Authentihash MD51e96108c0938d4c34d7072f04bc8b951
    Authentihash SHA1d46ae9bcc746ca408fbb55fb0d61b638720a8f25
    Authentihash SHA2567bacb353363cc29f7f3815a9d01e85cd86202d92378d1ab1b11df1ab2f42f40a
    RichPEHeaderHash MD555da99917deafbd2428eba37ab352764
    RichPEHeaderHash SHA172420433a55e6c3b3dd02e90ad238c5f5f632344
    RichPEHeaderHash SHA2567c8e32c30b6f8a981e4b54696e979a23cc9662b6440c2c8833494bc6d17cd9fe
    CompanyDell
    DescriptionDBUtil
    ProductDBUtil

    Download

    Certificates

    Expand
    Certificate 33000000b5213fca1e4aa03de40000000000b5
    FieldValue
    ToBeSigned (TBS) MD5a0dd89c33c4973bf6758331e200fb6de
    ToBeSigned (TBS) SHA165ff7fa429c0f08f8a8bf30509e8ca2919d9edb5
    ToBeSigned (TBS) SHA25629a7b646af062aee3bf37d1ba190211365116db7d7aa4cb87ba268843262ae47
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher
    ValidFrom2020-12-15 22:15:33
    ValidTo2021-12-02 22:15:33
    Signature0d2d53cd15a8feddcb17e2df1bf7dc1aef21e98c6cd220f58b593824849c134a0f1add59ce42ef80ddf47860273013604d9568ec5894a797bd4e571432a9aaf10ab04dd1c038b26ab7c5ca3a9c88d009267fab56254525546a0a055fb37b9cd8029c7d501809fc8b11482c7a4347b3ad29f35427c9570e87117db52cc94864259274b9e2e758f918a3af1fdb9f9d40ffa3ae2e2ae012fb97a436258642a2a4223dc6690db88103a6e5220646bd8afb3d12eb894ac28b527396a1965408487f6ab878b3c474b8c960842861ae8e799a3d2a8d6f918f50f8e26bb1ed6ced47be36e447574e8568582964ff31cd288b9c7f8d7e6a46d6c3d92f5c101fe1522a720c
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber33000000b5213fca1e4aa03de40000000000b5
    Version3
    Certificate 610baac1000000000009
    FieldValue
    ToBeSigned (TBS) MD5a569061297e8e824767dbc3184a69bea
    ToBeSigned (TBS) SHA1adbb26a587a8f44b4fccaecb306f980d1c55a150
    ToBeSigned (TBS) SHA256cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012
    ValidFrom2012-04-18 23:48:38
    ValidTo2027-04-18 23:58:38
    Signature5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber610baac1000000000009
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • WDFLDR.SYS

    Imported Functions

    Expand
    • MmMapIoSpace
    • MmUnmapIoSpace
    • MmAllocateContiguousMemorySpecifyCache
    • KeSetPriorityThread
    • MmGetPhysicalAddress
    • KeBugCheckEx
    • KeInsertQueueDpc
    • RtlCopyUnicodeString
    • IoWMIRegistrationControl
    • MmGetSystemRoutineAddress
    • MmFreeContiguousMemorySpecifyCache
    • RtlInitUnicodeString
    • WdfVersionBind
    • WdfVersionUnbind
    • WdfVersionUnbindClass
    • WdfVersionBindClass

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "33000000857f83dc2a6ca979b8000000000085",
      "Signature": "11f64665e99ee9a3212a8317075cf2122256a6cd5452564366da4b3e890c7a94b167d27a0cb1e962de146f371429f531349fc359cccece5f32fa84cd25231f892e44c4676b5ff4008ce6b3f3d9a2690a956a2a6a9e982ba8ebd4256971437156136a25b2e5184e11550aecb83f5ec8ae5467e866d6bbf44b9e8642c8bd5e316a4a494f676aa15eefad41893dd0a7187c881fa235b45f1a0696a8ad2d5c1531eed442d7281290b84f976f9ca241027378c241157a326739b2e8305adbfcef5005f5ccec402c1ab03d6e28c36987ae0d07cd12e41a348098d846f57c3225dbfed0c1b809ad311770854d368d150ee7767676c39a3d148f05cf7c2dcea5f1f7c6f2",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
      "TBS": {
        "MD5": "85e8c40624a19ac2076dd91f49d8fb53",
        "SHA1": "621756d2a4e10231e34677a3c0f2a8d1fb0fb7ca",
        "SHA256": "442ba2fb3fc8ab1b1b3c71a45f6ea08ce00cea7eae124ef915d4c17622eb336a",
        "SHA384": "19b80fb83482cdb42c94c2eabac29e4db7777988905aab348bd7ed62e325d2ea1f4c80df0d7275abcb2b67585cfc7c36"
      },
      "ValidFrom": "2019-06-05 18:06:32",
      "ValidTo": "2020-06-03 18:06:32",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "610baac1000000000009",
      "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012",
      "TBS": {
        "MD5": "a569061297e8e824767dbc3184a69bea",
        "SHA1": "adbb26a587a8f44b4fccaecb306f980d1c55a150",
        "SHA256": "cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46",
        "SHA384": "e947cac936803f5683196e4ff1b259096073395d0b908522ddce90d57597c9f7b57f7ddcdbe021ba863d843c340da8ba"
      },
      "ValidFrom": "2012-04-18 23:48:38",
      "ValidTo": "2027-04-18 23:58:38",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012",
      "SerialNumber": "33000000857f83dc2a6ca979b8000000000085",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-20