impulsive

github.com/magicsword-io/… found a 21KB kernel driver from 2004 built for windows xp that still loads on windows 11 ASTRA64.sys by EnTech Taiwan. signed in 2006, cert expired in 2007, but its timestamped so windows still says "signature verified" 19 years later. the company doesnt exist anymore. 31 IOCTLs with zero validation on anything. arbitrary physmem R/W, port I/O, PCI config R/W, MSR read, interrupt hooking, keyboard injection. no auth gate, no hardware gate, loads on any system with sc.exe not on loldrivers. not on hvci blocklist. no CVE. vendor is dead so you cant even do responsible disclosure. theres nobody to email filed an issue @M_haggis

@vxunderground B- is generous. It's a C for me. Functional but nothing groundbreaking. The operational security on the c2 server was a joke. Besides Zig compilation and thats just a config choice not skill.

I don't care what those nerds at Kaspersky say, I stand by my opinion STX Rat is a solid B- malware. Yeah, the cpuid-dot-com operation was a gigantic fumble, but the malware is pretty neat, far superior to the generic crimeware you find online. I'm happy LTT included the cat

@NotionHQ Why do you guys even bother to have a program if you're not fixing bugs? 2022 duplicate is crazy.

@teromee It’s in use today still they’re signing off drivers, just unresponsive to support an emails.

@weezerOSINT do you know what was for this driver or you possting things about a dead driver from a dead company? is the driver in use today?

github.com/magicsword-io/… found a 21KB kernel driver from 2004 built for windows xp that still loads on windows 11 ASTRA64.sys by EnTech Taiwan. signed in 2006, cert expired in 2007, but its timestamped so windows still says "signature verified" 19 years later. the company doesnt exist anymore. 31 IOCTLs with zero validation on anything. arbitrary physmem R/W, port I/O, PCI config R/W, MSR read, interrupt hooking, keyboard injection. no auth gate, no hardware gate, loads on any system with sc.exe not on loldrivers. not on hvci blocklist. no CVE. vendor is dead so you cant even do responsible disclosure. theres nobody to email filed an issue @M_haggis

@AzakaSekai_ yea it’s called drumming up engagement 😭

Them not responding to your email is a VERY different distinction against "companies are dead so I can't contact anyone to get it reported"

@TempAccountNull @kd_tech_ LOLD isn’t just a public list AV/EDR vendors and anti-cheats actively scrape it to update their blocklists. Submitting there gets it blocked across the ecosystem way faster than waiting on Microsoft’s update cycle alone.

@weezerOSINT @kd_tech_ Think of disclosures like this. If you upload it to LOLD sure it’ll be public, but it will not be on the official Microsoft blacklist for a long time, if you responsibly disclose of them to the vendor, the vendor will contact the responsible personnel and submit invalidating it

@TempAccountNull @kd_tech_ you should reverse it and submit it on loldrivers and mitre, better to get all these drivers blocked on the next update.

@weezerOSINT @kd_tech_ I have so many of them in my vulnerable folder it’s scary. The one driver I found actually signed in 2002, is still vulnerable today. Not even on LolDrivers.

Vendor disclosed. Thank you @DriversCloud for the fast response and acting fast. loldrivers.io/drivers/b3f7c8…

github.com/magicsword-io/… found a 25KB WHQL signed driver from driverscloud.com. its a french hardware inventory tool people install to check what GPU they have. 7 IOCTLs, zero validation. no security descriptor on the device. FILE_ANY_ACCESS on every IOCTL. any user can open it. no admin needed. no UAC. unrestricted wrmsr. no whitelist. write IA32_LSTAR and every syscall on the system hits your code. the instruction takes single digit nanoseconds. arb physmem read up to 2MB per call, MSR read/write, port I/O, PCI config R/W. It wasn't on loldrivers. not on hvci blocklist. no CVE. 0/68 on VT

Hello, just to clear up any miscommunication I have already attempted to reach out via Astra32 Website and Entech they have not responded.

@h1ghju1ce I already attempted contact through email and support on both en tech and Astra32 websites. They’re not responsive.

@weezerOSINT You sure the company doesn't exist anymore? entechtaiwan.com/about.shtm Who's paying the website hosting bill if they're no longer trading?

@4D4J_ @BlackSnufkin42 you're made your pasted slop mudware is getting detected

@BlackSnufkin42 I’m here to burn them all i’ve made like 10 loldrivers issues this week 😭

@weezerOSINT damm you just burned one of my BYOVD 🤣 nice finding

@thomasklemenc Already emailed them they did not respond already tried to submit via the website before disclosure thank you ❤️

@weezerOSINT The software is legit, the vendor is not dead, disclose the vulns to them at support@sysinfolab.com

@assemblydevyt They don't have a formal bug bounty program everything was handled through email. They assessed it themselves and called it low impact even though they were patching endpoints live back and forth while we were emailing.

@weezerOSINT They low balled the hella out of your work. Sorry to see that. I guess it's better than nothing. What are the guidelines they follow to balance your reward?

@eversinc33 cash in

@weezerOSINT Oh shit, they have a BB? I still have two Dell LPEs lol

@LowLevelTweets dropping a model built for vuln research and then telling vuln researchers they can't have it is crazy work

they called it mythos because no one’s ever gonna see it They’re literally trying to rage bait us

if you don’t have more than 4 monitors, you’re not locked in.

@_mmpte_software its all love bro, back to work

@weezerOSINT I'll just put my dunce cap on

github.com/magicsword-io/… disclosed SIVX64.sys to the developer. his response: "programs need SeLoadDriverPrivilege so its not a real issue". thats literally how BYOVD works, the attacker already has admin 😭, they bring your signed driver to get kernel r/w that admin cant do on its own. he also pointed to his MSR whitelist but ignored the actual vuln, cmd 0x10/0x13/0x14 give unrestricted arbitrary physical memory r/w with zero validation. loldrivers issue up here @M_haggis