Talos Vulnerability Report

TALOS-2023-1719

NVIDIA D3D10 Driver Shader Functionality undeclared dcl_output memory corruption vulnerability

August 10, 2023
CVE Number

CVE-2022-34671

SUMMARY

A memory corruption vulnerability exists in the Shader functionality of NVIDIA D3D10 Driver NVIDIA D3D10 Driver, Version 528.24, 31.0.15.2824. A specially crafted executable/shader file referencing an undeclared dcl_output can lead to memory corruption. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape, as previously demonstrated (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could also be triggered from a web browser (using webGL and webassembly). We were able to trigger this vulnerability from HYPER-V guest using the RemoteFX feature, leading to execution of vulnerable code on the HYPER-V host (inside the rdvgm.exe process). While the RemoteFX was recently deprecated by Microsoft, some older machines may still use this software.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

NVIDIA D3D10 Driver NVIDIA D3D10 Driver, Version 528.24, 31.0.15.2824

PRODUCT URLS

D3D10 Driver - https://nvidia.com

CVSSv3 SCORE

8.5 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

DETAILS

NVIDIA Graphics drivers is software for NVIDIA Graphics GPU installed on the PC. It is used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

This vulnerability can be triggered by supplying a malformed shader. This leads to a memory corruption problem in NVIDIA driver.

Example of shader triggering the bug:

gs_4_0
dcl_constant_buffer cb0[6].xyzw, immediateIndexed
...
dcl_output o0.xy
dcl_output o1.xyzw
...
mov o79.xyzw, v0[1].xyzw
...

As you can see, the MOV instruction is accessing the target register that was not previously declared as dcl_output (index out of bounds).
This leads to a memory corruption bug, where the destination address is computed based on the value provided in the shader data (directly from the provided shader binary file).

00007FF9C1486AFF | 8D048D 00000000          | lea eax,qword ptr ds:[rcx*4]                | ; EAX value taken directly from the shader bytecode
00007FF9C1486B06 | C64424 21 01             | mov byte ptr ss:[rsp+21],1                  | 
00007FF9C1486B0B | C1F8 08                  | sar eax,8                                   |
00007FF9C1486B0E | 48:8DBD B0260000         | lea rdi,qword ptr ss:[rbp+26B0]             |
00007FF9C1486B15 | 0F57C0                   | xorps xmm0,xmm0                             |
00007FF9C1486B18 | 8D0485 00000000          | lea eax,qword ptr ds:[rax*4]                |
00007FF9C1486B1F | 41:03C5                  | add eax,r13d                                |
00007FF9C1486B22 | 48:63C8                  | movsxd rcx,eax                              |
00007FF9C1486B25 | 48:8D0449                | lea rax,qword ptr ds:[rcx+rcx*2]            |
00007FF9C1486B29 | 48:C1E0 04               | shl rax,4                                   |
00007FF9C1486B2D | 48:03F8                  | add rdi,rax                                 |
00007FF9C1486B30 | 0F1107                   | movups xmmword ptr ds:[rdi],xmm0            | * write1 * 
00007FF9C1486B33 | 0F1147 10                | movups xmmword ptr ds:[rdi+10],xmm0         |
00007FF9C1486B37 | 0F1147 20                | movups xmmword ptr ds:[rdi+20],xmm0         |

Crash Information

nvwgf2umx!NVAPI_Thunk+0x1051b80:
00007ff9`c1486b30 0f1107          movups  xmmword ptr [rdi],xmm0 ds:000000cf`12480410=????????????????????????????????
0:039> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for POC_EXEC11.exe

KEY_VALUES_STRING: 1

	Key  : AV.Fault
	Value: Write

	Key  : Analysis.CPU.mSec
	Value: 2139

	Key  : Analysis.DebugAnalysisManager
	Value: Create

	Key  : Analysis.Elapsed.mSec
	Value: 17936

	Key  : Analysis.Init.CPU.mSec
	Value: 3468

	Key  : Analysis.Init.Elapsed.mSec
	Value: 226852

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 91

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 93944

	Key  : Timeline.Process.Start.DeltaSec
	Value: 107

	Key  : WER.OS.Branch
	Value: vb_release

	Key  : WER.OS.Timestamp
	Value: 2019-12-06T14:06:00Z

	Key  : WER.OS.Version
	Value: 10.0.19041.1


NTGLOBALFLAG:  70

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ff9c1486b30 (nvwgf2umx!NVAPI_Thunk+0x0000000001051b80)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 000000cf12480410
Attempt to write to address 000000cf12480410

FAULTING_THREAD:  00003144

PROCESS_NAME:  POC_EXEC11.exe

WRITE_ADDRESS:  000000cf12480410 

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  000000cf12480410

STACK_TEXT:  
000000cf`1247a120 00007ff9`c02af594     : 000001f1`08c32f10 000001f1`08c32eb0 000001f1`08c1e440 000001f1`08c1e440 : nvwgf2umx!NVAPI_Thunk+0x1051b80
000000cf`1247f010 00007ff9`c01f1a38     : 000001f1`08c1e440 000000cf`1247f1b0 00000000`00000036 00007ff9`c03d7f7e : nvwgf2umx!NVENCODEAPI_Thunk+0x30cf4
000000cf`1247f110 00007ff9`c01f28f2     : 000001f1`08c1e440 000000cf`1247f281 00000000`00000000 000000cf`1247f5a0 : nvwgf2umx+0xe1a38
000000cf`1247f1e0 00007ff9`c01f3c6d     : 000001f1`08c2e508 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx+0xe28f2
000000cf`1247f2e0 00007ff9`c042dce6     : 000001f1`08baee00 000001f1`08c32e20 000001f1`08c2e508 000001f1`08c32c60 : nvwgf2umx+0xe3c6d
000000cf`1247f570 00007ff9`c042d9f8     : 00000000`00000000 000001f1`06b64c00 00000000`00000000 000001f1`06bd4968 : nvwgf2umx!NVDEV_Thunk+0xb68f6
000000cf`1247f680 00007ff9`c0676644     : 00000000`00000000 00007ff9`d5500800 000001f1`08c336b0 000001f1`06bd4160 : nvwgf2umx!NVDEV_Thunk+0xb6608
000000cf`1247f730 00007ff9`c067658f     : 00000000`00000000 000001f1`0000000f 000001f1`08ce4b20 00000000`00000000 : nvwgf2umx!NVAPI_Thunk+0x241694
000000cf`1247f790 00007ff9`c1c37472     : 000001f1`08ce4b20 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_Thunk+0x2415df
000000cf`1247f7c0 00007ff9`d5387614     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x619382
000000cf`1247f7f0 00007ff9`d55026a1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000cf`1247f820 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


SYMBOL_NAME:  nvwgf2umx!NVAPI_Thunk+1051b80

MODULE_NAME: nvwgf2umx

IMAGE_NAME:  nvwgf2umx.dll

STACK_COMMAND:  ~39s ; .cxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_nvwgf2umx.dll!NVAPI_Thunk

BUCKET_ID_MODPRIVATE: 1

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

IMAGE_VERSION:  31.0.15.2824

FAILURE_ID_HASH:  {394d2a7d-b34b-6afc-ef2e-834df1b40588}

Followup:     MachineOwner
---------
VENDOR RESPONSE

NVidia released a bulletin for the issues here: https://nvidia.custhelp.com/app/answers/detail/a_id/5468

TIMELINE

2023-02-16 - Vendor Disclosure
2023-06-27 - Vendor Patch Release
2023-08-10 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.