NVIDIA D3D10 Driver nvwgf2umx_cfg.dll nvwg FTOI code execution vulnerability

2020-03-25T00:00:00
ID TALOS-2020-1039
Type talos
Reporter Talos Intelligence
Modified 2020-03-25T00:00:00

Description

Talos Vulnerability Report

TALOS-2020-1039

NVIDIA D3D10 Driver nvwgf2umx_cfg.dll nvwg FTOI code execution vulnerability

March 25, 2020
CVE Number

CVE‑2020‑5981

Summary

An exploitable code execution vulnerability exists in the nvwg functionality of NVIDIA Corporation NVIDIA D3D10 driver nvwgf2umx_cfg.dll, version 442.50 - 26.21.14.4250. A specially crafted shader could allow an adversary to execute remote code. An attacker can use this vulnerability to guest-to-host escape (through Hyper-V RemoteFX).

Tested Versions

NVIDIA D3D10 Driver Version 442.50 - 26.21.14.4250

Product URLs

<https://nvidia.com>

CVSSv3 Score

8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Details

NVIDIA Graphics drivers is software for NVIDIA Graphics GPU installed on the PC. It is used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

This vulnerability can be triggered by supplying a malformed pixel shader. This leads to a memory corruption problem in the NVIDIA driver (this driver is mapped to the application - like Hyper-V (rdvgm.exe).

An example of a pixel shader triggering the bug:

dcl_global_flags refactoringAllowed
dcl_constant_buffer cb0[3].xyzw, immediateIndexed
dcl_resource_texture2d resource[0]
dcl_input_ps_siv linear noperspective v0.xy, position
dcl_output o0.xyzw
dcl_temps 3
...
ftoi r607649793.xyzw, r1.xyzw
...

By modifying the ftoi (floating point to signed integer conversion) destination register operand to a value out of typical register range it is possible for the attacker to trigger a memory corruption vulnerability in the NVIDIA graphics driver. An attacker can control the destination address by changing the operand value in the shader byte code.

0:249&gt; r
rax=0000000000e00028 rbx=0000000000000007 rcx=000000000038000a
rdx=5ce36532c4357ca8 rsi=5ce36532c4357ca8 rdi=0000000000000001
rip=00007ffbb6e96d77 rsp=00000012056fe290 rbp=0000000000000000
 r8=00000012056fe378  r9=00007ffbb60a0000 r10=0000000000000000
r11=000000000e000282 r12=0000000000000000 r13=00000149da98a060
r14=00000149caac1950 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
nvwgf2umx_cfg!NVAPI_Thunk+0x275e47:
00007ffb`b6e96d77 498954c500      mov     qword ptr [r13+rax*8],rdx ds:00000149`e198a1a0=????????????????

stack trace:

0:249&gt; kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffb`b6e972a2 : 00000149`da977a60 00000149`caac1950 00000000`00000000 00007ffb`b7408794 : nvwgf2umx_cfg!NVAPI_Thunk+0x275e47
01 00007ffb`b6dd4daa : 00000149`da5d8500 00000149`cb989930 00000149`da9710f8 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x276372
02 00007ffb`b62491ec : 00000149`da977a60 00000149`c798fce0 00000149`da97d0a0 00007ffb`c5a5fc11 : nvwgf2umx_cfg!NVAPI_Thunk+0x1b3e7a
03 00007ffb`b624a232 : 00000000`00000000 00000149`da8b07a0 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x15d9c
04 00007ffb`b624b826 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x16de2
05 00007ffb`b64e978d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x183d6
06 00007ffb`b655a84d : 00000149`da74b6d0 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x2b633d
07 00007ffb`b73ec500 : 00000000`00000000 00000000`00000000 00000149`da6ee0e0 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x3273fd
08 00007ffb`c3c17bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x7cb5d0
09 00007ffb`c5a8ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0a 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

Crash Information

0:249&gt; !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Write

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 49989

    Key  : Timeline.Process.Start.DeltaSec
    Value: 36213


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

Timeline: !analyze.Start
    Name: &lt;blank&gt;
    Time: 2020-03-17T11:55:55.515Z
    Diff: 515 mSec

Timeline: Dump.Current
    Name: &lt;blank&gt;
    Time: 2020-03-17T11:55:55.0Z
    Diff: 0 mSec

Timeline: Process.Start
    Name: &lt;blank&gt;
    Time: 2020-03-17T01:52:22.0Z
    Diff: 36213000 mSec

Timeline: OS.Boot
    Name: &lt;blank&gt;
    Time: 2020-03-16T22:02:46.0Z
    Diff: 49989000 mSec


DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: 
nvwgf2umx_cfg!NVAPI_Thunk+275e47
00007ffb`b6e96d77 498954c500      mov     qword ptr [r13+rax*8],rdx

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffbb6e96d77 (nvwgf2umx_cfg!NVAPI_Thunk+0x0000000000275e47)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 00000149e198a1a0
Attempt to write to address 00000149e198a1a0

FAULTING_THREAD:  000034c0

PROCESS_NAME:  rdvgm.exe

FOLLOWUP_IP: 
nvwgf2umx_cfg!NVAPI_Thunk+275e47
00007ffb`b6e96d77 498954c500      mov     qword ptr [r13+rax*8],rdx

WRITE_ADDRESS:  00000149e198a1a0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  00000149e198a1a0

WATSON_BKT_PROCSTAMP:  c2ed11f1

WATSON_BKT_PROCVER:  10.0.18362.693

PROCESS_VER_PRODUCT:  Microsoft® Windows® Operating System

WATSON_BKT_MODULE:  nvwgf2umx_cfg.dll

WATSON_BKT_MODSTAMP:  5e543369

WATSON_BKT_MODOFFSET:  df6d77

WATSON_BKT_MODVER:  26.21.14.4250

MODULE_VER_PRODUCT:  NVIDIA D3D10 drivers

BUILD_VERSION_STRING:  18362.1.amd64fre.19h1_release.190318-1202

MODLIST_WITH_TSCHKSUM_HASH:  c7265071fb60e87a75898e3ea660ed9a1a6dd1c8

MODLIST_SHA1_HASH:  0f361cbbe04384b6e38c75ba58473fb3acfe310b

NTGLOBALFLAG:  400

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_TYPE:  fe

ANALYSIS_SESSION_HOST:  CLAB

ANALYSIS_SESSION_TIME:  03-17-2020 12:55:55.0515

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  PLK

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE

PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

PROBLEM_CLASSES:

    ID:     [0n313]
    Type:   [@ACCESS_VIOLATION]
    Class:  Addendum
    Scope:  BUCKET_ID
    Name:   Omit
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x34c0]
    Frame:  [0] : nvwgf2umx_cfg!NVAPI_Thunk

    ID:     [0n286]
    Type:   [INVALID_POINTER_WRITE]
    Class:  Primary
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x34c0]
    Frame:  [0] : nvwgf2umx_cfg!NVAPI_Thunk

    ID:     [0n117]
    Type:   [EXPLOITABLE]
    Class:  Addendum
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [0x2070]
    TID:    [0x34c0]
    Frame:  [0] : nvwgf2umx_cfg!NVAPI_Thunk

LAST_CONTROL_TRANSFER:  from 00007ffbb6e972a2 to 00007ffbb6e96d77

STACK_TEXT:  
00000012`056fe290 00007ffb`b6e972a2 : 00000149`da977a60 00000149`caac1950 00000000`00000000 00007ffb`b7408794 : nvwgf2umx_cfg!NVAPI_Thunk+0x275e47
00000012`056fe410 00007ffb`b6dd4daa : 00000149`da5d8500 00000149`cb989930 00000149`da9710f8 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x276372
00000012`056fe8d0 00007ffb`b62491ec : 00000149`da977a60 00000149`c798fce0 00000149`da97d0a0 00007ffb`c5a5fc11 : nvwgf2umx_cfg!NVAPI_Thunk+0x1b3e7a
00000012`056fe9d0 00007ffb`b624a232 : 00000000`00000000 00000149`da8b07a0 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x15d9c
00000012`056feb60 00007ffb`b624b826 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x16de2
00000012`056fec60 00007ffb`b64e978d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x183d6
00000012`056ff6f0 00007ffb`b655a84d : 00000149`da74b6d0 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x2b633d
00000012`056ff7e0 00007ffb`b73ec500 : 00000000`00000000 00000000`00000000 00000149`da6ee0e0 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x3273fd
00000012`056ff830 00007ffb`c3c17bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x7cb5d0
00000012`056ff860 00007ffb`c5a8ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000012`056ff890 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


THREAD_SHA1_HASH_MOD_FUNC:  93c9ea155a8ea6b1efda165d582f312e74a6054c

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  dfebc1d571830737fa18e4248bead5bad25adf26

THREAD_SHA1_HASH_MOD:  685fcebdc54c161cffb3ee49c08a2ea54c68ef8d

FAULT_INSTR_CODE:  c5548949

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nvwgf2umx_cfg!NVAPI_Thunk+275e47

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nvwgf2umx_cfg

IMAGE_NAME:  nvwgf2umx_cfg.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5e543369

STACK_COMMAND:  ~249s ; .cxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE_c0000005_nvwgf2umx_cfg.dll!NVAPI_Thunk

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_nvwgf2umx_cfg!NVAPI_Thunk+275e47

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  nvwgf2umx_cfg.dll

BUCKET_ID_IMAGE_STR:  nvwgf2umx_cfg.dll

FAILURE_MODULE_NAME:  nvwgf2umx_cfg

BUCKET_ID_MODULE_STR:  nvwgf2umx_cfg

FAILURE_FUNCTION_NAME:  NVAPI_Thunk

BUCKET_ID_FUNCTION_STR:  NVAPI_Thunk

BUCKET_ID_OFFSET:  275e47

BUCKET_ID_MODPRIVATE: 1

BUCKET_ID_MODTIMEDATESTAMP:  5e543369

BUCKET_ID_MODCHECKSUM:  272ca91

BUCKET_ID_MODVER_STR:  26.21.14.4250

BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_

FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT

FAILURE_SYMBOL_NAME:  nvwgf2umx_cfg.dll!NVAPI_Thunk

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/rdvgm.exe/10.0.18362.693/c2ed11f1/nvwgf2umx_cfg.dll/26.21.14.4250/5e543369/c0000005/00df6d77.htm?Retriage=1

TARGET_TIME:  2020-03-17T11:56:07.000Z

OSBUILD:  18363

OSSERVICEPACK:  329

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  190318-1202

BUILDLAB_STR:  19h1_release

BUILDOSVER_STR:  10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME:  2f4c

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_exploitable_c0000005_nvwgf2umx_cfg.dll!nvapi_thunk

FAILURE_ID_HASH:  {fd06a8b6-fe43-abcd-e2a7-ab697f9fc3df}

Timeline

2020-03-25 - Vendor Disclosure
2020-04-06 - Vendor requested disclosure extension; Talos granted extension
2020-08-25 - Discussion w/vendor regarding CVE assignment
2020-09-30 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.


Vulnerability Reports Next Report

TALOS-2020-1158

Previous Report

TALOS-2019-0897