Talos Vulnerability Report

TALOS-2024-2015

NVIDIA D3D10 Driver Shader Functionality MOV instruction out-of-bounds read vulnerability

October 23, 2024
CVE Number

CVE-2024-0119

SUMMARY

An out-of-bounds read vulnerability exists in the Shader Functionality functionality of NVIDIA D3D10 Driver 555.99, 32.0.15.5599. A specially crafted executable / shader file can lead to an out-of-bounds read. An attacker can provide a specially crafted shader file to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

NVIDIA D3D10 Driver 555.99, 32.0.15.5599

PRODUCT URLS

NVIDIA D3D10 Driver - https://nvidia.com

CVSSv3 SCORE

7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-125 - Out-of-bounds Read

DETAILS

This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape - as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly). We were able to trigger this vulnerability from HYPER-V guest using RemoteFX feature leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently depracated by Microsoft some older machines may still use this software.

To trigger the bug we have modified and corrupted the shaderbyte code coresponding to the “MOV” instruction This leads to out-of-bounds memory read situation:

00007FF9EDACC63E | 4D:8B46 20               | mov r8,qword ptr ds:[r14+20]            |
00007FF9EDACC642 | 41:8BC1                  | mov eax,r9d                             |
00007FF9EDACC645 | 41:0FB78C40 14120000     | movzx ecx,word ptr ds:[r8+rax*2+1214]   |

The source memory address is computed from the shader bytecode (the RAX register contains the value taken directly from the shader bytecode). Attacker can modify the shaderbyte code in order to force the nvwgf2umx.dll to read arbitrary memory region.

    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    nvwgf2umx!NVENCODEAPI_Thunk+0x35a25:
    00007ff9`edacc645 410fb78c4014120000 movzx ecx,word ptr [r8+rax*2+1214h] ds:00000187`11fbcefe=????
    0:014> r
    rax=00000000dddddde5 rbx=0000000000000019 rcx=0000000001000000
    rdx=00007ff9f139c4a0 rsi=0000000000000004 rdi=0000000000000000
    rip=00007ff9edacc645 rsp=000000013cdee870 rbp=000000013cdee970
     r8=0000018556400120  r9=00000000dddddde5 r10=0000000000000000
    r11=000000013cdeee90 r12=0000000000000020 r13=0000000000001000
    r14=00000185563f5060 r15=000000013cdeee70
    iopl=0         nv up ei pl zr na po nc
    cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    nvwgf2umx!NVENCODEAPI_Thunk+0x35a25:
    00007ff9`edacc645 410fb78c4014120000 movzx ecx,word ptr [r8+rax*2+1214h] ds:00000187`11fbcefe=????

Crash Information

0:014> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

	Key  : AV.Fault
	Value: Read

	Key  : Analysis.CPU.mSec
	Value: 859

	Key  : Analysis.Elapsed.mSec
	Value: 1254

	Key  : Analysis.IO.Other.Mb
	Value: 0

	Key  : Analysis.IO.Read.Mb
	Value: 0

	Key  : Analysis.IO.Write.Mb
	Value: 0

	Key  : Analysis.Init.CPU.mSec
	Value: 593

	Key  : Analysis.Init.Elapsed.mSec
	Value: 33314

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 88

	Key  : Failure.Bucket
	Value: INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown

	Key  : Failure.Hash
	Value: {7b367f86-064a-2e05-5dc0-760739d560ad}

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 608040

	Key  : Timeline.Process.Start.DeltaSec
	Value: 33

	Key  : WER.OS.Branch
	Value: vb_release

	Key  : WER.OS.Version
	Value: 10.0.19041.1


NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ff9edacc645 (nvwgf2umx!NVENCODEAPI_Thunk+0x0000000000035a25)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000018711fbcefe
Attempt to read from address 0000018711fbcefe

FAULTING_THREAD:  00005438

PROCESS_NAME:  POC_EXEC11.exe

READ_ADDRESS:  0000018711fbcefe 

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000018711fbcefe

STACK_TEXT:  
00000001`3cdee870 00007ff9`edac7a1d     : 00000185`563f5060 00000185`563f5060 00000000`00000000 00000001`3cdeed00 : nvwgf2umx!NVENCODEAPI_Thunk+0x35a25
00000001`3cdeeb40 00007ff9`edab0867     : 00000000`00000001 00000001`3cdef028 00000001`3cdef028 00000001`3cdeed50 : nvwgf2umx!NVENCODEAPI_Thunk+0x30dfd
00000001`3cdeec20 00007ff9`edd4e4c5     : 00000000`00000000 00004472`adb34ae7 00000185`56400120 00000000`00000002 : nvwgf2umx!NVENCODEAPI_Thunk+0x19c47
00000001`3cdeef40 00007ff9`eda9e1cd     : 00007ff9`edae3a04 00000001`3cdef040 00000185`563f5060 00000000`00000002 : nvwgf2umx!NVAPI_Thunk+0x24eb05
00000001`3cdeef70 00007ff9`eda9d063     : 00000000`ea28785b 00000001`3cdef4b0 00000000`ea28784f 00000000`ea287877 : nvwgf2umx!NVENCODEAPI_Thunk+0x75ad
00000001`3cdef430 00007ff9`ed9984fa     : 00000000`00000000 00000000`00000000 00000000`000000a1 00000001`3cdef8d0 : nvwgf2umx!NVENCODEAPI_Thunk+0x6443
00000001`3cdef4e0 00007ff9`ed999b55     : 00000185`563ecf30 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0x288ea
00000001`3cdef5c0 00007ff9`ee1dc58a     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0x29f45
00000001`3cdef8a0 00007ff9`ee1dc2a8     : 00000000`00000000 00000185`561afe00 00000000`00000000 00000185`561a6d78 : nvwgf2umx!NVDEV_Thunk+0x8b17a
00000001`3cdef9b0 00007ff9`ee150f73     : 00000000`00000000 00000000`00000000 00000185`563eb9f0 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x8ae98
00000001`3cdefa60 00007ff9`ee150e6f     : 00000000`00000000 00000185`563bbf00 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x1210e3
00000001`3cdefab0 00007ff9`ee7be1fe     : 00000185`563bbf00 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x120fdf
00000001`3cdefae0 00007ffa`e9637344     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!SetDependencyInfo+0x43ad5e
00000001`3cdefb10 00007ffa`ea2c26b1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000001`3cdefb40 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


SYMBOL_NAME:  nvwgf2umx+35a25

MODULE_NAME: nvwgf2umx

IMAGE_NAME:  nvwgf2umx.dll

STACK_COMMAND:  ~14s ; .cxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown

BUCKET_ID_MODPRIVATE: 1

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

IMAGE_VERSION:  32.0.15.5599

FAILURE_ID_HASH:  {7b367f86-064a-2e05-5dc0-760739d560ad}

Followup:     MachineOwner
---------
TIMELINE

2024-07-03 - Vendor Disclosure
2024-10-22 - Vendor Patch Release
2024-10-23 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.

TALOS-2024-2014

TALOS-2024-2013