f16f82de-1ad0-47d8-a869-2c10ed25d9f1
FH-EtherCAT_DIO.sys 
Description
The Carbon Black Threat Analysis Unit (TAU) discovered 34 unique vulnerable drivers (237 file hashes) accepting firmware access. Six allow kernel memory access. All give full control of the devices to non-admin users. By exploiting the vulnerable drivers, an attacker without the system privilege may erase/alter firmware, and/or elevate privileges. As of the time of writing in October 2023, the filenames of the vulnerable drivers have not been made public until now.
- UUID: f16f82de-1ad0-47d8-a869-2c10ed25d9f1
- Created: 2023-11-02
- Author: Takahiro Haruyama
- Acknowledgement: |
This download link contains the vulnerable driver!
Commands
sc.exe create FH-EtherCAT_DIOsys binPath= C:\windows\temp\FH-EtherCAT_DIOsys.sys type=kernel && sc.exe start FH-EtherCAT_DIOsys
| Use Case | Privileges | Operating System |
|---|---|---|
| Elevate privileges | kernel | Windows 10 |
Detections
YARA 🏹
Expand
with header and size limitation
without header and size limitation
for renamed driver files
Resources
Known Vulnerable Samples
| Property | Value |
|---|---|
| Filename | |
| Creation Timestamp | 2018-05-28 23:01:50 |
| MD5 | eb0a8eeb444033ebf9b4b304f114f2c8 |
| SHA1 | b8d19cd28788ce4570623a5433b091a5fbd4c26d |
| SHA256 | 8001d7161d662a6f4afb4d17823144e042fd24696d8904380d48065209f28258 |
| Authentihash MD5 | 3fac9a0418f2319fc1b9ddc3fddde14f |
| Authentihash SHA1 | f003d1d1abbb02b0b338aefdca8ea31b92e6b616 |
| Authentihash SHA256 | 039f442ffbda7decaaf1e367db6fc6f28cc73d549527ef5bedf2be8badedbfd7 |
| RichPEHeaderHash MD5 | 01803160bf42f5cb8bc329909f9a7c1a |
| RichPEHeaderHash SHA1 | 8c7dc2739a76bfa9fc36876dbc2cd5302cdb36f6 |
| RichPEHeaderHash SHA256 | ac2d1fd8107533a6331706b2967c0b0a4578fc69906cf04ad78519dbfb770417 |
Imports
Expand
- ntoskrnl.exe
- HAL.DLL
Imported Functions
Expand
- IoDetachDevice
- KeInitializeDpc
- KeInitializeTimer
- IoRegisterDeviceInterface
- KeInitializeEvent
- IoAttachDeviceToDeviceStack
- IoCreateDevice
- IoGetDeviceProperty
- IoDeleteDevice
- memset
- IofCallDriver
- MmUnmapIoSpace
- IoDisconnectInterrupt
- KeCancelTimer
- KeSetTimer
- IoSetDeviceInterfaceState
- IoConnectInterrupt
- DbgPrint
- IofCompleteRequest
- MmMapIoSpace
- RtlAssert
- KeDelayExecutionThread
- ObReferenceObjectByHandle
- ExEventObjectType
- ObfDereferenceObject
- KeWaitForSingleObject
- KeSetEvent
- KeInsertQueueDpc
- WRITE_REGISTER_UCHAR
- WRITE_REGISTER_USHORT
- WRITE_REGISTER_ULONG
- READ_REGISTER_UCHAR
- READ_REGISTER_USHORT
- READ_REGISTER_ULONG
- ExAllocatePoolWithTag
- RtlCopyUnicodeString
- KeTickCount
- ExFreePoolWithTag
- KeStallExecutionProcessor
- KfAcquireSpinLock
- KfReleaseSpinLock
- KeGetCurrentIrql
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- PAGE
- INIT
- .reloc
Signature
Expand
| Property | Value |
|---|---|
| Filename | |
| Creation Timestamp | 2018-05-28 23:01:57 |
| MD5 | 5c55fcfe39336de769bfa258ab4c901d |
| SHA1 | 170a50139f95ad1ec94d51fdd94c1966dbed0e47 |
| SHA256 | ae71f40f06edda422efcd16f3a48f5b795b34dd6d9bb19c9c8f2e083f0850eb7 |
| Authentihash MD5 | 48d0dc0f0c7f19a4ad4f923af1b971fd |
| Authentihash SHA1 | 364f53ed52e121182be0e0a21c17c2254894713d |
| Authentihash SHA256 | 5e7b92e6a1f656a70ed56ef2a190fce6bb3f12063b891fbfd722ca4e951de15f |
| RichPEHeaderHash MD5 | 2de13e46d55279d7b416782d6bbc3090 |
| RichPEHeaderHash SHA1 | 1169c889d4f8d66a4ac942e365da0374b00c331e |
| RichPEHeaderHash SHA256 | 0d1ae3144674ac08c57920a12a0b7713a1e74aaa33b0122cf6052746d83767e4 |
Certificates
Expand
Certificate 0a60585e11d143fc61db92bd9370b833
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 0d0c0b9219f7ce087c4a9c1e756b88c8 |
| ToBeSigned (TBS) SHA1 | 2841dd43b7491ce68f777036ff910b70c57efd0f |
| ToBeSigned (TBS) SHA256 | 11fb5faf42812f4c5781a03d9fbb7c8ed7b7786d44cd3bc986ed07d4447a38d3 |
| Subject | ??=JP, ??=Private Organization, serialNumber=1300,01,016824, C=JP, ST=Shiga, L=Kusatsu,city, O=OMRON Corporation, CN=OMRON Corporation |
| ValidFrom | 2017-07-31 00:00:00 |
| ValidTo | 2018-07-31 23:59:59 |
| Signature | 8362ee2339efc4b452de6019f266520f926ffa5ee7db3ec05efb97c42e06be69f1b4834f69e0da8ddc09af08fb9efc56d43007561684066dd7537eefedfc200985c3f3ee0bf7969e755aef4af7f66874c5ac9d791a1168fb2e34076e506bf44e108a69329037284af5a68319423e34164ffafd9688c1fb58e38ea0c6156af531edc3ae2e6de17b5b63076e4362d606882fa9acb385cc9c21af896d49f0bb27aff846dc4a9ddd9b9de1b5eabfb42a3577813f2b3e3af20cd7980ee95bbacd92a3d8aa6a55f1e2357ba826af83aea21df5d60a9225de041acd03da2ae0b46cdbedbaa8fbc400bdabfe687ddd7866fc084b2f95b44de7a87562824de9f028b6ae45 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 0a60585e11d143fc61db92bd9370b833 |
| Version | 3 |
Certificate 191a32cb759c97b8cfac118dd5127f49
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 788b61bd26da89253179e3de2cdb527f |
| ToBeSigned (TBS) SHA1 | 7d06f16e7bf21bce4f71c2cb7a3e74351451bf69 |
| ToBeSigned (TBS) SHA256 | b3c925b4048c3f7c444d248a2b101186b57cba39596eb5dce0e17a4ee4b32f19 |
| Subject | C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2 |
| ValidFrom | 2014-03-04 00:00:00 |
| ValidTo | 2024-03-03 23:59:59 |
| Signature | 3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 191a32cb759c97b8cfac118dd5127f49 |
| Version | 3 |
Certificate 611993e400000000001c
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 78a717e082dcc1cda3458d917e677d14 |
| ToBeSigned (TBS) SHA1 | 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 |
| ToBeSigned (TBS) SHA256 | 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 |
| Subject | C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5 |
| ValidFrom | 2011-02-22 19:25:17 |
| ValidTo | 2021-02-22 19:35:17 |
| Signature | 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
| IsCertificateAuthority | True |
| SerialNumber | 611993e400000000001c |
| Version | 3 |
Imports
Expand
- ntoskrnl.exe
- HAL.DLL
Imported Functions
Expand
- ExFreePoolWithTag
- IoRegisterDeviceInterface
- IoSetDeviceInterfaceState
- IoDeleteDevice
- KeSetEvent
- KeInitializeEvent
- KeInitializeDpc
- KeReleaseSpinLock
- IoDetachDevice
- MmUnmapIoSpace
- KeInitializeTimer
- KeDelayExecutionThread
- ExEventObjectType
- MmMapIoSpace
- KeInsertQueueDpc
- IofCompleteRequest
- IoConnectInterrupt
- ObReferenceObjectByHandle
- KeWaitForSingleObject
- IoAttachDeviceToDeviceStack
- KeSetTimer
- RtlCopyUnicodeString
- ObfDereferenceObject
- IoCreateDevice
- IoDisconnectInterrupt
- RtlAssert
- KeCancelTimer
- IoGetDeviceProperty
- DbgPrint
- IofCallDriver
- KeAcquireSpinLockRaiseToDpc
- KeBugCheckEx
- ExAllocatePoolWithTag
- KeStallExecutionProcessor
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- PAGE
- INIT
Signature
Expand
last_updated: 2024-09-26