CVE-2024-0121
An out-of-bounds read vulnerability exists in the Shader Functionality SAMPLE instruction of NVIDIA D3D10 Driver NVIDIA D3D10 Driver, Version 551.61, 31.0.15.5161. A specially crafted executable / shader file can lead to an out-of-bounds read. An attacker can provide a specially crafted shader file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
NVIDIA D3D10 Driver NVIDIA D3D10 Driver, Version 551.61, 31.0.15.5161
D3D10 Driver - https://nvidia.com
7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-125 - Out-of-bounds Read
NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC, used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.
This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape - as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly). We were able to trigger this vulnerability from HYPER-V guest using RemoteFX feature leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently depracated by Microsoft some older machines may still use this software.
This vulnerability can be triggered by supplying a malformed shader. This leads to out-of-bounds memory read problem in NVIDIA driver.
To trigger the bug we have modified and corrupted the shaderbyte code coresponding to the “SAMPLE” instruction (SAMPLE instruction samples data from the specified Element/texture using the specified address and the filtering mode identified by the given sampler).
This leads to out-of-bounds memory read situation:
00007FF928E1514C | 8BC1 | mov eax,ecx |
00007FF928E1514E | C1E0 1A | shl eax,1A |
00007FF928E15151 | C1F8 1A | sar eax,1A |
00007FF928E15154 | 3BC2 | cmp eax,edx |
00007FF928E15156 | 0F85 E0000000 | jne nvwgf2umx.7FF928E1523C |
00007FF928E1515C | 8B43 38 | mov eax,dword ptr ds:[rbx+38] |
00007FF928E1515F | 44:0FB7C8 | movzx r9d,ax |
00007FF928E15163 | A9 0000E001 | test eax,1E00000 |
00007FF928E15168 | 0F85 890B0000 | jne nvwgf2umx.7FF928E15CF7 |
00007FF928E1516E | A9 0000000E | test eax,E000000 |
00007FF928E15173 | 0F85 7E0B0000 | jne nvwgf2umx.7FF928E15CF7 |
00007FF928E15179 | 44:0FBE53 28 | movsx r10d,byte ptr ds:[rbx+28] |
00007FF928E1517E | 8D0C8D 00000000 | lea ecx,qword ptr ds:[rcx*4] | * RCX value taken directly from the shader file
00007FF928E15185 | C1F9 08 | sar ecx,8 |
00007FF928E15188 | 48:C1E1 06 | shl rcx,6 |
00007FF928E1518C | 41:8BD3 | mov edx,r11d |
00007FF928E1518F | 48:C1E2 06 | shl rdx,6 |
00007FF928E15193 | 0F100439 | movups xmm0,xmmword ptr ds:[rcx+rdi] | * RDI valid memory region, RCX offset (controlled)
00007FF928E15197 | 0F104C39 10 | movups xmm1,xmmword ptr ds:[rcx+rdi+10] |
00007FF928E1519C | 0F294424 40 | movaps xmmword ptr ss:[rsp+40],xmm0 |
00007FF928E151A1 | 0F294C24 50 | movaps xmmword ptr ss:[rsp+50],xmm1 |
00007FF928E151A6 | 0F104439 20 | movups xmm0,xmmword ptr ds:[rcx+rdi+20] |
00007FF928E151AB | 0F104C39 30 | movups xmm1,xmmword ptr ds:[rcx+rdi+30] |
00007FF928E151B0 | 0F294424 60 | movaps xmmword ptr ss:[rsp+60],xmm0 |
00007FF928E151B5 | 0F294C24 70 | movaps xmmword ptr ss:[rsp+70],xmm1 |
The source memory address is computed from the shader bytecode. Attacker can modify the shaderbyte code in order to force the nvwgf2umx_cfg.dll to read arbitrary memory region.
0:013> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Read
Key : Analysis.CPU.mSec
Value: 1827
Key : Analysis.Elapsed.mSec
Value: 11346
Key : Analysis.IO.Other.Mb
Value: 14
Key : Analysis.IO.Read.Mb
Value: 0
Key : Analysis.IO.Write.Mb
Value: 26
Key : Analysis.Init.CPU.mSec
Value: 499
Key : Analysis.Init.Elapsed.mSec
Value: 9143
Key : Analysis.Memory.CommitPeak.Mb
Value: 71
Key : Failure.Bucket
Value: INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown
Key : Failure.Hash
Value: {7b367f86-064a-2e05-5dc0-760739d560ad}
Key : Timeline.OS.Boot.DeltaSec
Value: 4239210
Key : Timeline.Process.Start.DeltaSec
Value: 8
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Version
Value: 10.0.19041.1
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ff928e15193 (nvwgf2umx!NVAPI_Thunk+0x0000000000268543)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000002a5a762d110
Attempt to read from address 000002a5a762d110
FAULTING_THREAD: 00002380
PROCESS_NAME: POC_EXEC11.exe
READ_ADDRESS: 000002a5a762d110
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 000002a5a762d110
STACK_TEXT:
000000ac`cbb9f4b0 00007ff9`28999381 : 00000000`00000000 00000000`af76783e 00000000`00000000 000002a5`9f0b1b00 : nvwgf2umx!NVAPI_Thunk+0x268543
000000ac`cbb9f660 00007ff9`2899a179 : 000002a5`9f28c810 000000ac`cbb9f7b1 00000000`00000000 000000ac`cbb9fb20 : nvwgf2umx!NVAPI_DirectMethods+0x27ae1
000000ac`cbb9f730 00007ff9`2899b54f : 000002a5`a3603870 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0x288d9
000000ac`cbb9f810 00007ff9`291d2e93 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0x29caf
000000ac`cbb9faf0 00007ff9`291d2bb8 : 00000000`00000000 000002a5`9f0b3740 00000000`00000000 000002a5`9f0eee20 : nvwgf2umx!NVDEV_Thunk+0x3afd3
000000ac`cbb9fc00 00007ff9`29200983 : 00000000`00000000 00000000`00000000 000002a5`a3602e30 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x3acf8
000000ac`cbb9fcb0 00007ff9`2920087f : 00000000`00000000 000002a5`9ef54100 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x68ac3
000000ac`cbb9fd00 00007ff9`297a8d8e : 000002a5`9ef54100 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x689bf
000000ac`cbb9fd30 00007ff9`ad7d7344 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x610ece
000000ac`cbb9fd60 00007ff9`af7a26b1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000ac`cbb9fd90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
SYMBOL_NAME: nvwgf2umx+268543
MODULE_NAME: nvwgf2umx
IMAGE_NAME: nvwgf2umx.dll
STACK_COMMAND: ~13s ; .cxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown
BUCKET_ID_MODPRIVATE: 1
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
IMAGE_VERSION: 31.0.15.5161
FAILURE_ID_HASH: {7b367f86-064a-2e05-5dc0-760739d560ad}
Followup: MachineOwner
---------
The vendor released a security advisory: https://nvidia.custhelp.com/app/answers/detail/a_id/5557
2024-03-15 - Vendor Disclosure
2024-10-22 - Vendor Patch Release
2024-10-23 - Public Release
Discovered by Piotr Bania of Cisco Talos.