{"id":998671,"date":"2023-11-02T13:01:36","date_gmt":"2023-11-02T15:01:36","guid":{"rendered":"https:\/\/teknomers.com\/fr\/des-chercheurs-decouvrent-34-pilotes-windows-vulnerables-au-rachat-complet-de-lappareil\/"},"modified":"2023-11-02T13:01:40","modified_gmt":"2023-11-02T15:01:40","slug":"des-chercheurs-decouvrent-34-pilotes-windows-vulnerables-au-rachat-complet-de-lappareil","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/des-chercheurs-decouvrent-34-pilotes-windows-vulnerables-au-rachat-complet-de-lappareil\/","title":{"rendered":"Des chercheurs d\u00e9couvrent 34 pilotes Windows vuln\u00e9rables au rachat complet de l&#8217;appareil"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">02 novembre 2023<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">R\u00e9daction<\/span><\/span><span class=\"p-tags\">S\u00e9curit\u00e9 des points finaux\/logiciels malveillants<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/11\/Des-chercheurs-decouvrent-34-pilotes-Windows-vulnerables-au-rachat-complet.jpg\" style=\"clear: left; display: block; float: left; text-align: center;\"><\/a><\/div>\n<p>Jusqu&#8217;\u00e0 34 mod\u00e8les de pilotes Windows vuln\u00e9rables uniques (<a rel=\"nofollow noopener\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/kernel\/introduction-to-wdm\" target=\"_blank\">WDM<\/a>) et les cadres de pilotes Windows (<a rel=\"nofollow noopener\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/wdf\/\" target=\"_blank\">WDF<\/a>) les pilotes pourraient \u00eatre exploit\u00e9s par des acteurs malveillants non privil\u00e9gi\u00e9s pour prendre le contr\u00f4le total des appareils et ex\u00e9cuter du code arbitraire sur les syst\u00e8mes sous-jacents.<\/p>\n<p>&#8220;En exploitant les pilotes, un attaquant sans privil\u00e8ge peut effacer\/alt\u00e9rer le micrologiciel et\/ou \u00e9lever [operating system] privil\u00e8ges&#8221;, Takahiro Haruyama, chercheur principal en menaces chez VMware Carbon Black, <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/cci_forensics\/status\/1719526934294700467\" target=\"_blank\">dit<\/a>.<\/p>\n<div class=\"check_two clear babsi\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thn.news\/wiz-inside-desk\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/11\/Turla-met-a-jour-la-porte-derobee-Kazuar-avec-une.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>Le <a rel=\"nofollow noopener\" href=\"https:\/\/blogs.vmware.com\/security\/2023\/10\/hunting-vulnerable-kernel-drivers.html\" target=\"_blank\">recherche<\/a> d\u00e9veloppe des \u00e9tudes ant\u00e9rieures, telles que <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/eclypsium\/Screwed-Drivers\" target=\"_blank\">Tournevis \u00e0 vis<\/a> et <a rel=\"nofollow noopener\" href=\"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3564625.3564631\" target=\"_blank\">POP-CORN<\/a> qui a utilis\u00e9 <a rel=\"nofollow noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/Symbolic_execution\" target=\"_blank\">ex\u00e9cution symbolique<\/a> pour automatiser la d\u00e9couverte des pilotes vuln\u00e9rables.  Il se concentre sp\u00e9cifiquement sur les pilotes qui contiennent un acc\u00e8s au micrologiciel via les E\/S de port et les E\/S mapp\u00e9es en m\u00e9moire.<\/p>\n<p>Les noms de certains des pilotes vuln\u00e9rables incluent AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (<a rel=\"nofollow noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-20598\" target=\"_blank\">CVE-2023-20598<\/a>), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys et TdkLib64.sys (<a rel=\"nofollow noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-35841\" target=\"_blank\">CVE-2023-35841<\/a>).<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/11\/1698937296_597_Des-chercheurs-decouvrent-34-pilotes-Windows-vulnerables-au-rachat-complet.jpg\" style=\"clear: left; display: block; float: left; text-align: center;\"><img decoding=\"async\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/11\/1698937296_597_Des-chercheurs-decouvrent-34-pilotes-Windows-vulnerables-au-rachat-complet.jpg\" alt=\"Prise de contr\u00f4le de l'appareil\" border=\"0\" data-original-height=\"540\" data-original-width=\"728\" title=\"Prise de contr\u00f4le de l'appareil\"\/><\/a><\/div>\n<p>Sur les 34 pilotes, six autorisent un acc\u00e8s \u00e0 la m\u00e9moire du noyau qui peut \u00eatre abus\u00e9 pour \u00e9lever les privil\u00e8ges et d\u00e9jouer les solutions de s\u00e9curit\u00e9.  Douze des pilotes pourraient \u00eatre exploit\u00e9s pour <a rel=\"nofollow noopener\" href=\"https:\/\/www.loldrivers.io\/\" target=\"_blank\">renverser les m\u00e9canismes de s\u00e9curit\u00e9<\/a> comme la randomisation de la disposition de l&#8217;espace d&#8217;adressage du noyau (<a rel=\"nofollow noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/Address_space_layout_randomization\" target=\"_blank\">KASLR<\/a>).<\/p>\n<p>Sept des pilotes, dont stdcdrv64.sys d&#8217;Intel, peuvent \u00eatre utilis\u00e9s pour effacer le micrologiciel dans le <a rel=\"nofollow noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/Flash_memory#Serial_flash\" target=\"_blank\">M\u00e9moire flash SPI<\/a>, rendant le syst\u00e8me impossible \u00e0 d\u00e9marrer.  Intel a depuis publi\u00e9 un correctif pour le probl\u00e8me.<\/p>\n<p>VMware a d\u00e9clar\u00e9 avoir \u00e9galement identifi\u00e9 des pilotes WDF tels que WDTKernel.sys et H2OFFT64.sys qui ne sont pas vuln\u00e9rables en termes de contr\u00f4le d&#8217;acc\u00e8s, mais peuvent \u00eatre trivialement utilis\u00e9s par des acteurs malveillants privil\u00e9gi\u00e9s pour mener \u00e0 bien ce qu&#8217;on appelle une attaque BYOVD (Bring Your Own Vulnerable Driver). .<\/p>\n<div class=\"check_two clear babsi\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thn.news\/pjHvTZON\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/11\/Turla-met-a-jour-la-porte-derobee-Kazuar-avec-une.gif\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>Cette technique a \u00e9t\u00e9 utilis\u00e9e par divers adversaires, notamment le groupe Lazarus, li\u00e9 \u00e0 la Cor\u00e9e du Nord, comme moyen d&#8217;obtenir des privil\u00e8ges \u00e9lev\u00e9s et de d\u00e9sactiver les logiciels de s\u00e9curit\u00e9 ex\u00e9cut\u00e9s sur les points finaux compromis afin d&#8217;\u00e9chapper \u00e0 la d\u00e9tection.<\/p>\n<p>&#8220;La port\u00e9e actuelle des API\/instructions cibl\u00e9es par le [<a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/TakahiroHaruyama\/VDR\" target=\"_blank\">IDAPython script<\/a> for automating static code analysis of x64 vulnerable drivers] est restreint et limit\u00e9 uniquement \u00e0 l&#8217;acc\u00e8s au micrologiciel&#8221;, a d\u00e9clar\u00e9 Haruyama.<\/p>\n<p>&#8220;Cependant, il est facile d&#8217;\u00e9tendre le code pour couvrir d&#8217;autres vecteurs d&#8217;attaque (par exemple, mettre fin \u00e0 des processus arbitraires).&#8221;<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant ?  Suivez-nous sur <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Twitter <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">LinkedIn<\/a> pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2023\/11\/researchers-find-34-windows-drivers.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80202 novembre 2023\ue804R\u00e9dactionS\u00e9curit\u00e9 des points finaux\/logiciels malveillants Jusqu&#8217;\u00e0 34 mod\u00e8les de pilotes Windows vuln\u00e9rables uniques (WDM) et les cadres de pilotes Windows (WDF) les pilotes pourraient \u00eatre exploit\u00e9s par des acteurs malveillants non privil\u00e9gi\u00e9s pour prendre le contr\u00f4le total des appareils et ex\u00e9cuter du code arbitraire sur les syst\u00e8mes sous-jacents. &#8220;En exploitant les pilotes, un [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":998672,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[200292,12848,4168,5197,4165,4161,200267,3073,133,4159,4171,30410,200271,200268,200269,200270,2046,4710,128318,4172,4169,4166,4164,4698,45020],"class_list":["post-998671","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-actualites-sur-la-cybersecurite","tag-chercheurs","tag-comment-pirater","tag-complet","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-cyberactualites","tag-decouvrent","tag-des","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-lappareil","tag-logiciel-malveillant-rancongiciel","tag-mises-a-jour-sur-la-cybersecurite","tag-nouvelles-des-pirates","tag-nouvelles-sur-le-piratage","tag-pilotes","tag-rachat","tag-securite-des-informations","tag-securite-informatique","tag-securite-internet","tag-violation-de-donnees","tag-vulnerabilite-logicielle","tag-vulnerables","tag-windows"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/998671","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=998671"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/998671\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/998672"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=998671"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=998671"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=998671"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}