Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

NVIDIA Driver - Unchecked User-Provided Pointer in Escape 0x5000027

🗓️ 31 Oct 2016 00:00:00Reported by Google Security ResearchType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 21 Views

Unchecked user-provided pointer in NVIDIA Driver 0x5000027 escape handler, potential write acces

Code
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=937

The DxgkDdiEscape handler for 0x5000027 accepts a user provided pointer,
but does no checks on it before using it.

...
    DWORD* user_ptr = escape_5000027_data->user_ptr;
    v32 = user_ptr[2];
    v33 = user_ptr + 3;
    if ( v32 != -1 )
        v33 = (_DWORD *)v32;
    sub_91C24(miniport_context_, *user_ptr, user_ptr[1], v33, (__int64)&escape_data_);
...

The PoC I’ve provided causes a read on said pointer, but based on inspecting where this pointer
is passed it seems like there is at least 1 code path that can result in a write (I haven't
confirmed this though). 

(On Win 10 x64 with 372.54)

FAULTING_IP: 
nvlddmkm!nvDumpConfig+1338c7
fffff801`8a26a79f 8b4808          mov     ecx,dword ptr [rax+8]

CONTEXT:  ffffd00023649970 -- (.cxr 0xffffd00023649970)
rax=4141414141414141 rbx=ffffd0002364a870 rcx=0000000005000017
rdx=ffffd0002364a498 rsi=0000000000000000 rdi=ffffd0002364a498
rip=fffff8018a26a79f rsp=ffffd0002364a390 rbp=ffffd0002364a4a9
 r8=ffffd0002364a870  r9=ffffe8023c537220 r10=0000000000000000
r11=ffffd0002364a370 r12=ffffe8023c537220 r13=fffff80189fa9370
r14=ffffe000d6f2a000 r15=ffffe8023c537220
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nvlddmkm!nvDumpConfig+0x1338c7:
fffff801`8a26a79f 8b4808          mov     ecx,dword ptr [rax+8] ds:002b:41414141`41414149=????????
Resetting default scope

To reproduce, compile PoC as a x64 executable and run (requires WDK for D3DKMTEscape).


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40663.zip

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Oct 2016 00:00Current
7.4High risk
Vulners AI Score7.4
nvidiadriverescape handlerpointersecurity issuewrite access
21