The Vulnerable Driver and Its Flaws
Security researcher Jehad Abudagga has uncovered a critical weakness in a Lenovo driver called BootRepair.sys, which ships as part of the Lenovo PC Manager utility. This driver is digitally signed by Lenovo and was not detected as malicious on VirusTotal at the time of investigation. The researcher found that the driver does not enforce proper access controls, allowing any user with low privileges to interact with it through exposed symbolic links and a device object.
The driver exposes an IOCTL control code that accepts a process ID as input. The internal routine then calls the Windows kernel function ZwTerminateProcess to kill the specified process. Because no security checks are applied to incoming requests, this gives any user the ability to terminate arbitrary processes, including protected security services and endpoint detection and response (EDR) agents.
Attack Scenarios and Impact
Two primary attack scenarios emerge from this vulnerability. In the first, if BootRepair.sys is already present on a target system, an attacker with low privileges can directly communicate with the driver to terminate antivirus or EDR processes. In the second, the attacker can deploy the signed driver as part of a Bring Your Own Vulnerable Driver (BYOVD) attack, loading it into the kernel to disable security defenses before executing further malicious actions.
In a proof of concept, the researcher demonstrated that even protected processes such as the CrowdStrike Falcon sensor can be terminated after loading this driver. Once security software is disabled, the attacker gains free rein to run post exploitation tools like credential dumpers without detection. This attack vector highlights the ongoing risk posed by legitimate signed drivers that contain security weaknesses, as they can bypass typical prevention controls.
Source: Cyber Security News
