Vulners
Lucene search
NVIDIA Driver - Incorrect Bounds Check in Escape 0x70001b2 Exploit
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2016-8809 | 31 Oct 201600:00 | – | circl |
 | NVIDIA Windows GPU Display Driver Local Elevation of Privilege Vulnerability (CNVD-2016-10569) | 2 Nov 201600:00 | – | cnvd |
 | CVE-2016-8809 | 8 Nov 201620:37 | – | cve |
 | CVE-2016-8809 | 8 Nov 201620:37 | – | cvelist |
 | EUVD-2016-9634 | 7 Oct 202500:30 | – | euvd |
 | NVidia Windows GPU Display Driver Contains Multiple Vulnerabilities in the Kernel Mode Layer - us | 13 Mar 201700:00 | – | lenovo |
 | CVE-2016-8809 | 8 Nov 201620:59 | – | nvd |
 | Security Bulletin: Vulnerabilities in NVIDIA Windows GPU Display Driver and NVIDIA GeForce Experience | 28 Oct 201600:00 | – | nvidia |
 | NVIDIA Windows GPU Display Driver 340.x / 341.x / 342.x < 342.00 / 375.x < 375.63 Multiple Vulnerabilities | 4 Nov 201600:00 | – | nessus |
 | CVE-2016-8809 | 8 Nov 201620:59 | – | osv |
10
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=940
The DxgkDdiEscape handler for 0x70001b2 doesn't do proper bounds checks for its
variable size input.
void sub_8C4304(...) {
...
// escape_->size is controlled by the user.
if ( escape_->size < size )
size = escape_->size;
memcpy(escape_->data, v31, 28i64 * size);
...
}
Note that this appears to be a common pattern. Normally, before
escape handlers are executed, |PrivateDriverDataSize| (from DXGKARG_ESCAPE)
is checked to be equal to some value against a hardcoded table. However, some escapes
allow a more relaxed check that |PrivateDriverDataSize| >= minimum. This means that
the handler themselves must implement an ad hoc bounds check, which either seems to be
missing or implemented incorrectly (relying on a user specified value) in many cases.
bug 936 is a similar issue and there are likely more. I've noticed (but not confirmed)
a few more OOB reads that I haven't reported that follow this same pattern.
Crashing context with PoC (Win 10 x64 with 372.54):
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
...
rax=ffffd000239d51dc rbx=0000000000000000 rcx=fffffffffffffff4
rdx=fffff000e9e6c754 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80166d6aca0 rsp=ffffd000239d3df8 rbp=ffffd000239d3f00
r8=0000000000000924 r9=000000000000003b r10=000000000000e9ef
r11=ffffd000239d48ac r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
nvlddmkm+0x5daca0:
fffff801`66d6aca0 f30f7f40f0 movdqu xmmword ptr [rax-10h],xmm0 ds:ffffd000`239d51cc=????????????????????????????????
Resetting default scope
To reproduce, compile as an x64 executable an run (requires WDK for D3DKMTEscape).
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40664.zip
# 0day.today [2018-04-03] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Nov 2016 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.00559