module
Dell DBUtilDrv2.sys Memory Protection Modifier
| Disclosed | Created |
|---|---|
| N/A | Dec 22, 2021 |
Disclosed
N/A
Created
Dec 22, 2021
Description
The Dell DBUtilDrv2.sys drivers version 2.5 and 2.7 have a write-what-where condition
that allows an attacker to read and write arbitrary kernel-mode memory. This module
installs the provided driver, enables or disables LSA protection on the provided
PID, and then removes the driver. This would allow, for example, dumping LSASS memory
even when secureboot is enabled or preventing antivirus from accessing the memory of
a chosen PID.
The affected drivers are not distributed with Metasploit. You will truly need to
Bring Your Own (Dell) Driver.
that allows an attacker to read and write arbitrary kernel-mode memory. This module
installs the provided driver, enables or disables LSA protection on the provided
PID, and then removes the driver. This would allow, for example, dumping LSASS memory
even when secureboot is enabled or preventing antivirus from accessing the memory of
a chosen PID.
The affected drivers are not distributed with Metasploit. You will truly need to
Bring Your Own (Dell) Driver.
Authors
SentinelLabs
Kasif Dekel
Red Cursor
Jacob Baines
Kasif Dekel
Red Cursor
Jacob Baines
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.