Disclaimer i dont know if backdoor or stupidity- but code like that do not belong in a driver, that is for sure. I have not spent the required time to do full analysis, but by posting this - someone will do it.
Show this thread
Hey- DOLBY/LENOVO/CONXEANT, you are not trying to sneak a backdoot into all windows through plug and play drivers over windows update- riiight??pic.twitter.com/DElDUHMD4j
-
-
-
also- that driver is involved in sending sound over remote desktop. I do not like that there is something custom happening if that file exists when remote desktop connections are happening. I do not currently have the required time to do the investigation- maybe its benign.
Show this thread -
and the drivers looks like it is exploitable anyway - dosdevices can be controlled by per profile devicemappings. And it appears to create a device by \DosDevices\Global\CnxtAudioDevice - Global symlink you can delete with definedosdrive api and create another link.
Show this thread -
but even if exploitable for EOP or for infecting other pcs you connect to MS do not care about PNP drivers being exploitable. They do not write that in rules- and when asked they will say: create full working exploit, do analysis and create a report then we will decide what to do
Show this thread -
I was stupid enough enough to do that - just to waste my time on it being out of scope. Submitted to Lenovo and got a CVE at least. By posting here- I have done my part, would liked to have time for analysing it but I struggle very much with finances so bounty are top priority
Show this thread -
Ohhh- I have explanation now, it is code made to pass the hardware verification tests for the driver to get signed. But- is it allowed to have special case code when tested and still get signed?https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/audio-device-testing-prerequisites …
Show this thread -
allright, now knowing this it cuts away 90% of reverse engineering needed. I am downloading an iso with the driver certfication kit- so i can find the test the code is written for. I focussed in on this driver because it gave me BSOD- and that code is a primary suspect
Show this thread
End of conversation
New conversation -
-
-
What's wrong with the file creation?
-
it is a driver- running in ring 0, the path is controllable by any user- as it will use the profiles device map. But beyond that- why do a chinese company want to do something special on my computer if that file exist? There is no good reason for that.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.