WDM (Windows Driver Model) drivers are a specific type of Windows kernel driver that utilizes DDI (Device Driver Interfaces) to facilitate communication between drivers. They are responsible for interacting with hardware components. However, if a kernel driver is vulnerable, it can be exploited by attackers to escalate privileges or execute malicious kernel code, which is commonly known as a BYOVD (Bring Your Own Vulnerable Driver) attack.
In this session, I will present five CVEs related to AMD's Windows kernel drivers, specifically CVE-2023-20556, CVE-2023-20561, CVE-2023-20562, CVE-2023-20560, and CVE-2023-20564. These vulnerabilities were discovered through a combination of fuzzing and manual reverse-engineering techniques. Among them, three are denial of service vulnerabilities, and two are elevation of privilege vulnerabilities found in AMD products, namely AMD μProf and AMD Ryzen Master, which are related to AMD's CPU. The denial of service vulnerabilities are caused by a lack of input buffer validation, controlled by an attacker, leading to null pointer dereference. The other two elevation of privilege vulnerabilities are a result of insufficient access control, allowing an attacker to write into arbitrary virtual and physical memory, respectively.
After months of communication with the AMD PSIRT, the assignment of five CVEs has been confirmed, and the date for public disclosure has been established. AMD PSIRT has displayed a commendable response to these security issues and has actively addressed them.
Zeze is a volunteer staff in HITCON and a security researcher at TeamT5, specializing in Windows security. He has successfully uncovered and reported tens of CVEs related to the Windows kernel. Zeze is a member of the NTU DCNS Lab and is a participant in the BambooFox and ⚔️TSJ⚔️ CTF teams. Furthermore, Zeze has presented as a speaker at HITCON 2022, VXCON 2022, and CYBERSEC 2023, where he discussed various topics related to the Windows kernel.