LSA protection prevents non-protected processes from reading the memory of, or injecting code into, Windows' Local Security Authority Subsystem Service (lsass.exe). However, BYOVD also enables a simpler data-oriented attack that allows the attacker to subvert LSA protection. The previously mentioned attacks largely focused on executing code in kernel mode.
Because the write-what-where condition persists in the follow-on drivers, dbutildrv2.sys 2.5 and 2.7, Dell has delivered three unique signed drivers that can execute attacker code in kernel mode. Connor McGarr demonstrated Dell’s dbutil_2_3.sys (which is vulnerable to CVE-2021-21551) can be used to execute attacker code in kernel mode. The Dell drivers discussed below should be able to facilitate these types of attacks. Or just overwrite all data (resulting in BSoD). The attacker can write themselves a UEFI rootkit. Some obvious examples include unhooking EDR callbacks or hiding exploitation/ rootkit artifacts.
Once the attacker has loaded their unsigned driver into the kernel, they can accomplish a wide variety of tasks they wouldn’t be able to otherwise.
KDU, a tool that supports more than 14 different vulnerable drivers as the “provider,” is the unsigned driver loader of choice. Notably Stryker and DSEFix run afoul of PatchGuard and are no longer suitable for most situations. Stryker, DSEFix, and TDL are all deprecated or in read-only mode.
In our analysis of CVE-2021-21551, a write-what-where vulnerability (see CWE-123) in a Dell driver, we found that Dell’s update didn’t fix the write-what-where condition but only limited access to administrative users. There is no security boundary between an administrator and the Windows kernel, according to the Microsoft Security Servicing Criteria for Windows. "People that write Ring 0 code and write it badly are a danger to society." - Mickey Shkatov