CVE-2024-0117
An out-of-bounds read vulnerability exists in the Shader Functionality functionality of NVIDIA D3D10 Driver 555.99, 32.0.15.5599. A specially crafted executable / shader file can lead to an out-of-bounds read. An attacker can provide a specially crafted shader file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
NVIDIA D3D10 Driver 555.99, 32.0.15.5599
NVIDIA D3D10 Driver - https://nvidia.com
7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-125 - Out-of-bounds Read
An exploitable memory corruption vulnerability exists in NVIDIA nvwgf2umx.dll graphics driver. A specially crafted compute shader can cause Out-of-bounds read vulnerability. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape - as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly). We were able to trigger this vulnerability from HYPER-V guest using RemoteFX feature leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently depracated by Microsoft some older machines may still use this software.
This vulnerability can be triggered by supplying a malformed shader. This leads to out-of-bounds memory read problem in NVIDIA driver.
To trigger the bug we have modified and corrupted the shaderbyte code coresponding to the “LD” instruction (LD instruction fetches data from the specified buffer or texture without any filtering (e.g. point sampling) using the provided integer address. The source data may come from any resource type, other than TextureCube.).
This leads to out-of-bounds memory read situation:
00007FF9EDABB7B9 | 45:8B6D 28 | mov r13d,dword ptr ds:[r13+28] |
00007FF9EDABB7BD | 44:8D70 E5 | lea r14d,qword ptr ds:[rax-1B] |
00007FF9EDABB7C1 | 49:8B4F 20 | mov rcx,qword ptr ds:[r15+20] |
00007FF9EDABB7C5 | 45:8BC5 | mov r8d,r13d |
00007FF9EDABB7C8 | 44:8BCE | mov r9d,esi |
00007FF9EDABB7CB | 4C:8B91 E0020000 | mov r10,qword ptr ds:[rcx+2E0] |
00007FF9EDABB7D2 | 47:0FB71C6A | movzx r11d,word ptr ds:[r10+r13*2] | *
The source memory address is computed from the shader bytecode (the r13 register contains the value taken directly from the shader bytecode). Attacker can modify the shaderbyte code in order to force the nvwgf2umx.dll to read arbitrary memory region.
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
nvwgf2umx!NVENCODEAPI_Thunk+0x24bb2:
00007ff9`edabb7d2 470fb71c6a movzx r11d,word ptr [r10+r13*2] ds:00000208`7076b608=????
0:014> r
rax=000000000000001f rbx=000000c8079fefe8 rcx=00000206d6ebba00
rdx=0000000000000002 rsi=0000000000000000 rdi=0000000000001041
rip=00007ff9edabb7d2 rsp=000000c8079fc860 rbp=000000c8079fc960
r8=00000000cccccccc r9=0000000000000000 r10=00000206d6dd1c70
r11=0000000000000000 r12=0000000000000000 r13=00000000cccccccc
r14=0000000000000004 r15=00000206d6eba8b0
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
nvwgf2umx!NVENCODEAPI_Thunk+0x24bb2:
00007ff9`edabb7d2 470fb71c6a movzx r11d,word ptr [r10+r13*2] ds:00000208`7076b608=????
0:014> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Read
Key : Analysis.CPU.mSec
Value: 921
Key : Analysis.Elapsed.mSec
Value: 3482
Key : Analysis.IO.Other.Mb
Value: 1
Key : Analysis.IO.Read.Mb
Value: 0
Key : Analysis.IO.Write.Mb
Value: 12
Key : Analysis.Init.CPU.mSec
Value: 1093
Key : Analysis.Init.Elapsed.mSec
Value: 86676
Key : Analysis.Memory.CommitPeak.Mb
Value: 89
Key : Failure.Bucket
Value: INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown
Key : Failure.Hash
Value: {7b367f86-064a-2e05-5dc0-760739d560ad}
Key : Timeline.OS.Boot.DeltaSec
Value: 600498
Key : Timeline.Process.Start.DeltaSec
Value: 86
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Version
Value: 10.0.19041.1
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ff9edabb7d2 (nvwgf2umx!NVENCODEAPI_Thunk+0x0000000000024bb2)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000002087076b608
Attempt to read from address 000002087076b608
FAULTING_THREAD: 00004ea4
PROCESS_NAME: POC_EXEC11.exe
READ_ADDRESS: 000002087076b608
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 000002087076b608
STACK_TEXT:
000000c8`079fc860 00007ff9`edab89fd : 000000c8`079ff068 00000000`00000000 000000c8`079ff068 00000000`00000000 : nvwgf2umx!NVENCODEAPI_Thunk+0x24bb2
000000c8`079fe8e0 00007ff9`edca5803 : 00000000`00700000 000000c8`079feee0 00000000`00700000 00000000`00000000 : nvwgf2umx!NVENCODEAPI_Thunk+0x21ddd
000000c8`079fee50 00007ff9`eda9e1cd : 00007ff9`edae348c 000000c8`079ff080 00000206`d6eba8b0 00000000`00000001 : nvwgf2umx!NVAPI_Thunk+0x1a5e43
000000c8`079feeb0 00007ff9`eda9d063 : 00000000`d4cd00a0 000000c8`079ff3f0 00000000`d4cd00a7 00000000`d4cd0000 : nvwgf2umx!NVENCODEAPI_Thunk+0x75ad
000000c8`079ff370 00007ff9`ed9984fa : 00000000`00000000 00000000`00000000 00000000`00000022 000000c8`079ff810 : nvwgf2umx!NVENCODEAPI_Thunk+0x6443
000000c8`079ff420 00007ff9`ed999b55 : 00000206`d6dba990 00000000`00000000 000000c8`079ff600 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0x288ea
000000c8`079ff500 00007ff9`ee1dc58a : 00000000`00000000 00000206`d6da5c20 00000206`d6bde740 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0x29f45
000000c8`079ff7e0 00007ff9`ee1dc2a8 : 00000000`00000000 00000206`d6bde740 00000000`00000000 00000206`d6c7d578 : nvwgf2umx!NVDEV_Thunk+0x8b17a
000000c8`079ff8f0 00007ff9`ee150f73 : 00000000`00000000 00000000`00000000 00000206`d6dbeb10 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x8ae98
000000c8`079ff9a0 00007ff9`ee150e6f : 00000000`00000000 00000206`d6da5bc0 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x1210e3
000000c8`079ff9f0 00007ff9`ee7be1fe : 00000206`d6da5bc0 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x120fdf
000000c8`079ffa20 00007ffa`e9637344 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!SetDependencyInfo+0x43ad5e
000000c8`079ffa50 00007ffa`ea2c26b1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000c8`079ffa80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
SYMBOL_NAME: nvwgf2umx+24bb2
MODULE_NAME: nvwgf2umx
IMAGE_NAME: nvwgf2umx.dll
STACK_COMMAND: ~14s ; .cxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown
BUCKET_ID_MODPRIVATE: 1
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
IMAGE_VERSION: 32.0.15.5599
FAILURE_ID_HASH: {7b367f86-064a-2e05-5dc0-760739d560ad}
Followup: MachineOwner
---------
2024-07-01 - Vendor Disclosure
2024-10-22 - Vendor Patch Release
2024-10-23 - Public Release
Discovered by Piotr Bania of Cisco Talos.