More information about Crowdstrike

When I wrote my first post about Crowdstrike I had a feeling that it was not as simple as it looked. My initial assumption was that their driver has a bug, but I have the following issues with this assumption:

  1. How can they deploy a new driver to many computers and never see any issues if this driver prevents Windows from starting up?
  2. How driver can update itself? Technically it is possible but I never heard of that. Keep in mind, that updating the driver from the user mode application could be a potential vulnerability.
  3. Also, I was thinking about how the driver can identify a crash during Windows startup and switch to some kind of safe mode to avoid this problem in the first place. But it also looks like a vulnerability. All you need to force the driver into this mode to disable it.

But turns out that the company that is developing Crowdstrike didn’t update the driver. What they did was way worse. The driver is just an engine and it downloads the definition file that tells it what to do. So effectively definition contains commands that the driver executes.

So you can test the driver all you want and everything will be fine. You can even ask an independent lab to test to verify it like WHQL. All you need is a safe definition file. But with then it will receive different files and will do completely different things.

Some people state that it looks like that definition file was corrupted on download and that triggered a crash in the driver. This model explains why nobody sees this during internal testing. It also explains that the driver does not update itself and just downloads definitions. This is certainly way easier than updating the driver itself.

But it also shows how easily they can make a recovery if Windows crashes during startup. If Windows crashes during the first boot process after updating definitions, just switch to the previous definition that survived restart. Very easy and simple.

Moreover, now I’m not sure that it is just a simple bug or misconfiguration. To me, it feels like somebody did it intentionally and probably attacked a server that hosts definition files. I know that everybody makes mistakes but this one looks too perfect. Of course, it is just a feeling and I can be wrong here.