Vulners
Lucene search
NVIDIA Driver 375.70 - DxgkDdiEscape 0x100008b Out-of-Bounds Read/Write Vulnerability
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2017-0312 | 15 Feb 201700:00 | – | circl |
 | NVIDIA Windows GPU Display Driver elevation of privilege vulnerability (CNVD-2017-02195) | 20 Feb 201700:00 | – | cnvd |
 | CVE-2017-0312 | 15 Feb 201723:00 | – | cve |
 | CVE-2017-0312 | 15 Feb 201723:00 | – | cvelist |
 | EUVD-2017-0668 | 7 Oct 202500:30 | – | euvd |
 | CVE-2017-0312 | 15 Feb 201723:59 | – | nvd |
 | Security Bulletin: NVIDIA GPU Display Driver contains multiple vulnerabilities in the kernel mode layer handler | 14 Feb 201700:00 | – | nvidia |
 | NVIDIA Windows GPU Display Driver 375.x < 376.67 / 378.x < 378.52 Multiple Vulnerabilities | 24 Feb 201700:00 | – | nessus |
 | Design/Logic Flaw | 15 Feb 201723:59 | – | prion |
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=985
The DxgkDdiEscape handler for 0x100008b accepts a user supplied size as the
limit for a loop, leading to OOB reads and writes.
The supplied PoC passes an invalid size of 0x41414141, which causes a crash in:
__int64 sub_30A500(__int64 a1, __int64 a2, _DWORD *ptr, unsigned int user_supplied_size)
{
__int64 i; // [email protected]
if ( user_supplied_size )
{
i = user_supplied_size;
do
{
if ( *ptr == 3 || (unsigned int)(*ptr - 9) <= 1 )
*ptr = 0;
ptr += 3;
--i;
}
while ( i );
Crashing context on Win 10 x64, driver version 375.70:
TRAP_FRAME: ffffd000266219e0 -- (.trap 0xffffd000266219e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000fffffff7 rbx=0000000000000000 rcx=ffffe000d6315000
rdx=ffffe000d691b000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8010e34a50b rsp=ffffd00026621b78 rbp=ffffe000d691b000
r8=ffffd000266228a8 r9=0000000041414141 r10=ffffd00026623004
r11=00000000414140a4 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nvlddmkm+0x2fa50b:
fffff801`0e34a50b 418b02 mov eax,dword ptr [r10] ds:ffffd000`26623004=????????
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41364.zip
# 0day.today [2018-01-03] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Feb 2017 00:00Current
8High risk
Vulners AI Score8
EPSS0.00253