Vulners
Lucene search
NVIDIA Driver - Missing Bounds Check in Escape 0x70000d5 Exploit
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | CVE-2016-8808 | 31 Oct 201600:00 | – | circl |
 | NVIDIA Windows GPU Display Driver Local Elevation of Privilege Vulnerability (CNVD-2016-10567) | 2 Nov 201600:00 | – | cnvd |
 | CVE-2016-8808 | 8 Nov 201620:37 | – | cve |
 | CVE-2016-8808 | 8 Nov 201620:37 | – | cvelist |
 | EUVD-2016-9633 | 7 Oct 202500:30 | – | euvd |
 | NVidia Windows GPU Display Driver Contains Multiple Vulnerabilities in the Kernel Mode Layer - us | 13 Mar 201700:00 | – | lenovo |
 | Updated graphicsmagick packages fix security vulnerability | 14 Jul 201620:33 | – | mageia |
 | CVE-2016-8808 | 8 Nov 201620:59 | – | nvd |
 | Security Bulletin: Vulnerabilities in NVIDIA Windows GPU Display Driver and NVIDIA GeForce Experience | 28 Oct 201600:00 | – | nvidia |
 | NVIDIA Windows GPU Display Driver 340.x / 341.x / 342.x < 342.00 / 375.x < 375.63 Multiple Vulnerabilities | 4 Nov 201600:00 | – | nessus |
10
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=944
The DxgkDdiEscape handler for 0x70000d5 lacks bounds checks:
...
if ( g_saved_size )
{
escape->size = g_saved_size;
if ( (unsigned int)g_saved_size > 0 )
{
do
{
v5 = v2++;
escape->data[v5] = global_array[v5 + 77];
}
while ( v2 < g_saved_size );
}
return;
}
data = 0i64;
...
if ( escape->size > 0 )
{
do
{
ii = i++;
global_array[ii + 77] = escape->data[ii];
}
while ( i < escape->size );
...
g_saved_size = escape->size;
This handler copies data to/from a global array, but lacks any form of bounds checking, as
|escape->size| is controlled by the user. This leads to overflow of the global buffer, and pool overflows
when it's copied back into the escape data.
A PoC is attached that should cause a crash (Win 10 x64, 372.54):
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000002, Stack cookie instrumentation code detected a stack-based
buffer overrun.
Arg2: ffffd00022de52c0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd00022de5218, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40666.zip
# 0day.today [2018-01-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Nov 2016 00:00Current
7.8High risk
Vulners AI Score7.8
EPSS0.00833