CVE-2024-0118
An out-of-bounds read vulnerability exists in the Shader Functionality functionality of NVIDIA D3D10 Driver 555.99, 32.0.15.5599. A specially crafted executable / shader file can lead to an out-of-bounds read. An attacker can provide a specially crafted shader file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
NVIDIA D3D10 Driver 555.99, 32.0.15.5599
NVIDIA D3D10 Driver - https://nvidia.com
7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-125 - Out-of-bounds Read
This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape - as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly). We were able to trigger this vulnerability from HYPER-V guest using RemoteFX feature leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently depracated by Microsoft some older machines may still use this software.
This vulnerability can be triggered by supplying a malformed shader. This leads to out-of-bounds memory read problem in NVIDIA driver.
To trigger the bug we have modified and CUSTOMDATA section in the shader bytecode. The modified value is later used as maximum number of repetitions for the loop, during this loop read operation is performed while the memory address specifying the memory region is being adjusted.
This leads to out-of-bounds memory read situation:
00007FF9EE7AB4B0 | 0F2941 10 | movaps xmmword ptr ds:[rcx+10],xmm0 |
00007FF9EE7AB4B4 | 0F2909 | movaps xmmword ptr ds:[rcx],xmm1 |
00007FF9EE7AB4B7 | 0F104411 F0 | movups xmm0,xmmword ptr ds:[rcx+rdx-10] |
00007FF9EE7AB4BC | 0F104C11 E0 | movups xmm1,xmmword ptr ds:[rcx+rdx-20] |
00007FF9EE7AB4C1 | 48:81E9 80000000 | sub rcx,80 |
00007FF9EE7AB4C8 | 0F2941 70 | movaps xmmword ptr ds:[rcx+70],xmm0 |
00007FF9EE7AB4CC | 0F2949 60 | movaps xmmword ptr ds:[rcx+60],xmm1 |
00007FF9EE7AB4D0 | 0F104411 50 | movups xmm0,xmmword ptr ds:[rcx+rdx+50] |
00007FF9EE7AB4D5 | 0F104C11 40 | movups xmm1,xmmword ptr ds:[rcx+rdx+40] |
00007FF9EE7AB4DA | 49:FFC9 | dec r9 | *
00007FF9EE7AB4DD | 0F2941 50 | movaps xmmword ptr ds:[rcx+50],xmm0 |
00007FF9EE7AB4E1 | 0F2949 40 | movaps xmmword ptr ds:[rcx+40],xmm1 |
00007FF9EE7AB4E5 | 0F104411 30 | movups xmm0,xmmword ptr ds:[rcx+rdx+30] |
00007FF9EE7AB4EA | 0F104C11 20 | movups xmm1,xmmword ptr ds:[rcx+rdx+20] |
00007FF9EE7AB4EF | 0F2941 30 | movaps xmmword ptr ds:[rcx+30],xmm0 |
00007FF9EE7AB4F3 | 0F2949 20 | movaps xmmword ptr ds:[rcx+20],xmm1 |
00007FF9EE7AB4F7 | 0F104411 10 | movups xmm0,xmmword ptr ds:[rcx+rdx+10] |
00007FF9EE7AB4FC | 0F100C11 | movups xmm1,xmmword ptr ds:[rcx+rdx] |
00007FF9EE7AB500 | 75 AE | jne nvwgf2umx.7FF9EE7AB4B0 |
Here the value of r9 (being the remaining loop counter) is taken directly from the shaderbyte code. Attacker can influce the number of loop repeats which will eventually lead to out-of-bounds reads (because the RCX register specifying the memory address for reading is being adjusted every loop iteration).
0:015> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Read
Key : Analysis.CPU.mSec
Value: 874
Key : Analysis.Elapsed.mSec
Value: 1713
Key : Analysis.IO.Other.Mb
Value: 0
Key : Analysis.IO.Read.Mb
Value: 0
Key : Analysis.IO.Write.Mb
Value: 5
Key : Analysis.Init.CPU.mSec
Value: 765
Key : Analysis.Init.Elapsed.mSec
Value: 29608
Key : Analysis.Memory.CommitPeak.Mb
Value: 93
Key : Failure.Bucket
Value: INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown
Key : Failure.Hash
Value: {7b367f86-064a-2e05-5dc0-760739d560ad}
Key : Timeline.OS.Boot.DeltaSec
Value: 605656
Key : Timeline.Process.Start.DeltaSec
Value: 29
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Version
Value: 10.0.19041.1
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ff9ee7ab4f7 (nvwgf2umx!SetDependencyInfo+0x0000000000428057)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000026fa84a1ff4
Attempt to read from address 0000026fa84a1ff4
FAULTING_THREAD: 000065fc
PROCESS_NAME: POC_EXEC11.exe
READ_ADDRESS: 0000026fa84a1ff4
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000026fa84a1ff4
STACK_TEXT:
00000071`0059ec28 00007ff9`ed97e5d1 : 0000026f`9f600000 00007ff9`edab0cf5 00000000`00000440 00000000`00000001 : nvwgf2umx!SetDependencyInfo+0x428057
00000071`0059ec30 00007ff9`eda9e1cd : 00007ff9`edae33fc 00000071`0059f1b0 00000000`00000078 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0xe9c1
00000071`0059ec70 00007ff9`eda9d063 : 0000026f`a197f3d0 0000026f`a1985210 00000000`ea287835 0000026f`a1985210 : nvwgf2umx!NVENCODEAPI_Thunk+0x75ad
00000071`0059f130 00007ff9`ed9984fa : 00000000`00000000 00000000`00000000 00000000`00000001 00000071`0059f5d0 : nvwgf2umx!NVENCODEAPI_Thunk+0x6443
00000071`0059f1e0 00007ff9`ed999b55 : 0000026f`a19768b0 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0x288ea
00000071`0059f2c0 00007ff9`ee1dc58a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0x29f45
00000071`0059f5a0 00007ff9`ee1dc2a8 : 00000000`00000000 0000026f`a16a1d80 00000000`00000000 0000026f`a1688dd8 : nvwgf2umx!NVDEV_Thunk+0x8b17a
00000071`0059f6b0 00007ff9`ee150f73 : 00000000`00000000 00000000`00000000 0000026f`a197a390 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x8ae98
00000071`0059f760 00007ff9`ee150e6f : 00000000`00000000 0000026f`a1948de0 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x1210e3
00000071`0059f7b0 00007ff9`ee7be1fe : 0000026f`a1948de0 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x120fdf
00000071`0059f7e0 00007ffa`e9637344 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!SetDependencyInfo+0x43ad5e
00000071`0059f810 00007ffa`ea2c26b1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000071`0059f840 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
SYMBOL_NAME: nvwgf2umx+428057
MODULE_NAME: nvwgf2umx
IMAGE_NAME: nvwgf2umx.dll
STACK_COMMAND: ~15s ; .cxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown
BUCKET_ID_MODPRIVATE: 1
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
IMAGE_VERSION: 32.0.15.5599
FAILURE_ID_HASH: {7b367f86-064a-2e05-5dc0-760739d560ad}
Followup: MachineOwner
---------
2024-07-01 - Vendor Disclosure
2024-10-22 - Vendor Patch Release
2024-10-23 - Public Release
Discovered by Piotr Bania of Cisco Talos.