Talos Vulnerability Report

TALOS-2021-1436

NVIDIA nvwgf2umx_cfg.dll shader DCL_INDEXRANGE memory corruption vulnerability

May 17, 2022
CVE Number

CVE-2022-28182

Summary

A memory corruption vulnerability exists in the shader DCL_INDEXRANGE functionality of NVIDIA D3D10 Driver version 496.76, 30.0.14.9676. A specially-crafted executable/shader file can lead to memory corruption. This vulnerability potentially could be triggered from guest machines running virtualization environments (i.e. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape, as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly).

Tested Versions

NVIDIA D3D10 Driver 496.76, 30.0.14.9676

Product URLs

D3D10 Driver - https://nvidia.com

CVSSv3 Score

8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Details

NVIDIA Graphics drivers is software for NVIDIA Graphics GPU installed on the PC. It is used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

We were able to trigger this vulnerability from HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently deprecated by Microsoft, some older machines may still use this software (for example, those running an older version of Windows Server).

This vulnerability can be triggered by supplying a malformed hull shader. This leads to a memory corruption problem in NVIDIA driver. By modifying one of the operands of the DCL_INDEXRANGE instruction (declares a range of registers that will be accessed by index (an integer computed in the shader)), it is possible to cause memory corruption.

00007FFB1299ED70 | 48:8B8B E0120000         | mov rcx,qword ptr ds:[rbx+12E0]                  |
...
00007FFB1299EDEA | 66:0F1F4400 00           | nop word ptr ds:[rax+rax],ax                     |
00007FFB1299EDF0 | 48:8B8B E0120000         | mov rcx,qword ptr ds:[rbx+12E0]                  |
00007FFB1299EDF7 | 8BD0                     | mov edx,eax                                      |
00007FFB1299EDF9 | FFC0                     | inc eax                                          |
00007FFB1299EDFB | 6644:899451 90060000     | mov word ptr ds:[rcx+rdx*2+690],r10w             |    MEM OVERWRITE
00007FFB1299EE04 | 41:3BC0                  | cmp eax,r8d                                      |
00007FFB1299EE07 | 75 E7                    | jne nvwgf2umx.7FFB1299EDF0                       |
00007FFB1299EE09 | FFC7                     | inc edi                                          |
00007FFB1299EE0B | 48:83C6 02               | add rsi,2                                        |
00007FFB1299EE0F | 41:3BFF                  | cmp edi,r15d                                     |
00007FFB1299EE12 | 0F82 58FFFFFF            | jb nvwgf2umx.7FFB1299ED70                        |

R15D register at 0x7FFB1299EE0F contains the number of maximum loop cycles, where EDI is the loop counter. Inside there is an nested loop from 0x7FFB1299EDF0-0x7FFB1299EE07. Attackers can control the maximum loop cycles value, which leads to arbitrary memory write at 0x7FFB1299EDFB.

nvwgf2umx+0x6edfb:
00007ffb`1299edfb 664489945190060000 mov   word ptr [rcx+rdx*2+690h],r10w ds:00000298`c51df000=????
0:015> r
rax=0000000000018af9 rbx=00000298c51ab170 rcx=00000298c51ad380
rdx=0000000000018af8 rsi=00000000000007aa rdi=000000000000008d
rip=00007ffb1299edfb rsp=000000e2181eefe0 rbp=0000000000001025
 r8=0000000000000084  r9=0000000000000000 r10=0000000000000080
r11=00000298c51addb0 r12=0000000000000000 r13=0000000000000600
r14=00000298c51ae3b0 r15=00000000aaaa0086

Crash Information

0:015> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for POC_EXEC11.exe

KEY_VALUES_STRING: 1

	Key  : AV.Fault
	Value: Write

	Key  : Analysis.CPU.Sec
	Value: 0

	Key  : Analysis.DebugAnalysisProvider.CPP
	Value: Create: 8007007e on IAMLEGION

	Key  : Analysis.DebugData
	Value: CreateObject

	Key  : Analysis.DebugModel
	Value: CreateObject

	Key  : Analysis.Elapsed.Sec
	Value: 32

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 76

	Key  : Analysis.System
	Value: CreateObject

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 75463

	Key  : Timeline.Process.Start.DeltaSec
	Value: 83


NTGLOBALFLAG:  470

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffb1299edfb (nvwgf2umx+0x000000000006edfb)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 00000298c51df000
Attempt to write to address 00000298c51df000

FAULTING_THREAD:  000040f8

PROCESS_NAME:  POC_EXEC11.exe

WRITE_ADDRESS:  00000298c51df000 

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  00000298c51df000

STACK_TEXT:  
000000e2`181eefe0 00007ffb`12c61573 : 00000298`c51ab170 00000000`c51ad05b 000000e2`181ef130 00000000`00000000 : nvwgf2umx+0x6edfb
000000e2`181ef030 00007ffb`12c61a4f : 00000000`00000000 00000000`00000000 00000298`c51ab170 00000298`c7184d10 : nvwgf2umx!NVDEV_Thunk+0x4d933
000000e2`181ef4f0 00007ffb`129eb0b0 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x4de0f
000000e2`181ef5b0 00007ffb`129ec686 : 00000298`c71a7f20 00000000`7ffe0385 00000000`00000015 00007ffb`65aee683 : nvwgf2umx+0xbb0b0
000000e2`181ef6b0 00007ffb`12d808e5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx+0xbc686
000000e2`181efb20 00007ffb`12d80698 : 00000000`00000000 00000298`c70c0d80 00000000`00000003 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x16cca5
000000e2`181efc30 00007ffb`12e9f87c : 00000298`c7122e60 00000000`00000000 00000298`c7122e60 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x16ca58
000000e2`181efce0 00007ffb`13c18d58 : 00000000`00000000 00000000`00000000 00000298`c7180850 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x28bc3c
000000e2`181efd30 00007ffb`64e67034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x5b2f48
000000e2`181efd60 00007ffb`65b02651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000e2`181efd90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


SYMBOL_NAME:  nvwgf2umx+6edfb

MODULE_NAME: nvwgf2umx

IMAGE_NAME:  nvwgf2umx.dll

STACK_COMMAND:  ~15s ; .cxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_nvwgf2umx.dll!Unknown

BUCKET_ID_MODPRIVATE: 1

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {4468a1dc-4a01-79b1-d906-401b585901d4}

Followup:     MachineOwner
---------

Timeline

2022-01-13 - Vendor Disclosure
2022-05-16 - Vendor Patch Release
2022-05-17 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.