Vulners
Lucene search
NVIDIA Driver - Missing Bounds Check in Escape 0x100009a Exploit
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2016-8810 | 31 Oct 201600:00 | – | circl |
 | NVIDIA Windows GPU Display Driver Local Elevation of Privilege Vulnerability (CNVD-2016-10568) | 2 Nov 201600:00 | – | cnvd |
 | CVE-2016-8810 | 8 Nov 201620:37 | – | cve |
 | CVE-2016-8810 | 8 Nov 201620:37 | – | cvelist |
 | EUVD-2016-9635 | 7 Oct 202500:30 | – | euvd |
 | NVidia Windows GPU Display Driver Contains Multiple Vulnerabilities in the Kernel Mode Layer - us | 13 Mar 201700:00 | – | lenovo |
 | CVE-2016-8810 | 8 Nov 201620:59 | – | nvd |
 | Security Bulletin: Vulnerabilities in NVIDIA Windows GPU Display Driver and NVIDIA GeForce Experience | 28 Oct 201600:00 | – | nvidia |
 | NVIDIA Windows GPU Display Driver 340.x / 341.x / 342.x < 342.00 / 375.x < 375.63 Multiple Vulnerabilities | 4 Nov 201600:00 | – | nessus |
 | CVE-2016-8810 | 8 Nov 201620:59 | – | osv |
10
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=942
The DxgkDdiEscape handler for escape 0x100009a lacks proper bounds checks:
case 0x100009A:
...
size_0 = escape_data->size_1;
...
size_1 = 2 - (escape_data->unknown < 18);
...
size_2 = escape_data->size_2;
...
total_size = size_0 * size_1 * size_2;
...
if (total_size > 0x10)
do_debug_thingo();
if (total_size) {
DWORD* ptr = alloced_buf + 24;
DWORD* user_buf = escape_data->data;
...
while (total_size) {
*(ptr - 1) = *(user_buf - 1);
*ptr = *user_buf;
...
user_buf += 4;
ptr += 39;
--total_size;
}
There is a check that total_size > 0x10, which calls some kind of a
debug/logging function (do_debug_thingo in my pseudocode), but it does not
actually stop processing of the escape. This leads to buffer overflow on the
allocated pool buffer later on.
Note that there is also a potential integer overflow in the calculation of
|total_size|. Since the individual sizes (size_0, size_1, size_2) appear to be
stored in a struct and eventually passed off to another function, there may be
more problems later on too.
Crashing context with PoC (Win10 x64 with 372.54):
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
...
rax=00000000caa6ed30 rbx=0000000000000000 rcx=ffffc001cd337044
rdx=00000000000f41bd rsi=0000000000000000 rdi=0000000000000000
rip=fffff80102461188 rsp=ffffd000243bbed0 rbp=ffffd000243bbfd0
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
nvlddmkm!nvDumpConfig+0x12a2b0:
fffff801`02461188 8941fc mov dword ptr [rcx-4],eax ds:ffffc001`cd337040=????????
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40665.zip
# 0day.today [2018-01-08] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Nov 2016 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.00394