Microsoft Hyper-V/RemoteFX: CVE-2020-1041
An exploitable pointer corruption vulnerability exists in Intel’s IGC64.DLL graphics driver, version 26.20.100.7584. A specially crafted vertex shader can corrupt a pointer, which could lead to arbitrary code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments (e.g. VMware, QEMU, VirtualBox etc.) in order to perform guest-to-host escape - as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. Theoretically, this vulnerability could be also triggered from a web browser (using WebGL and WebAssembly) but Talos has not been able to confirm this.
Intel IGC64.DLL (Intel Graphics Shader Compiler for Intel(R) Graphics Accelerator), version 26.20.100.7584
Microsoft Hyper-V with RemoteFX enabled (CVE-2020-1041)
8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-590: Free of Memory not on the Heap
This vulnerability can be triggered by supplying a malformed vertex shader, leading to a memory corruption in the Intel IGC64 driver (this driver is mapped by the affected component, e.g. VMware’s vmware-vmx.exe).
Example of pixel shader triggering the bug:
36 00 00 05 22 00 10 00 01 00 00 00 06 00 10 00 03 00 00 00 mov r1.y, r3.xxxx
^^^^^^^^
By corrupting the instruction operands, it is possible to change the pointer which will be used as an argument for the REALLOC function.
For example, in this case the return address (written by call function) will be used as an argument for the REALLOC function:
Sample debugger output:
HEAP[POC_EXEC11_VENDOR_ONLY.exe]: Invalid address specified to RtlValidateHeap( 000001793A680000, 00007FFC713341A3 )
(1c14.f00): Break instruction exception - code 80000003 (first chance)
ntdll!RtlpBreakPointHeap+0x16:
00007ffc`838a63b6 cc int 3
0:000> u 00007FFC713341A3
igc64!OpenCompiler12+0x2ca13:
00007ffc`713341a3 488d4c2420 lea rcx,[rsp+20h]
00007ffc`713341a8 e8a3f4ffff call igc64!OpenCompiler12+0x2bec0 (00007ffc`71333650)
00007ffc`713341ad 488b8c24e0000000 mov rcx,qword ptr [rsp+0E0h]
00007ffc`713341b5 4833cc xor rcx,rsp
00007ffc`713341b8 e8d33efaff call igc64!getJITVersion+0x5eb350 (00007ffc`712d8090)
00007ffc`713341bd 488b9c2408010000 mov rbx,qword ptr [rsp+108h]
00007ffc`713341c5 4881c4f0000000 add rsp,0F0h
00007ffc`713341cc 5f pop rdi
Stack trace:
0:000> kb
# RetAddr : Args to Child : Call Site
00 00007ffc`838a1622 : 00000000`00000001 00007ffc`839027f0 00000000`00000009 0000021a`dc440000 : ntdll!RtlReportCriticalFailure+0x56
01 00007ffc`838a192a : 00000000`00000009 00007ffc`713341a3 0000021a`dc440000 00000000`00000001 : ntdll!RtlpHeapHandleError+0x12
02 00007ffc`838aa8e9 : 0000021a`dc440000 00000000`00000000 0000021a`dc440000 0000021a`dc440000 : ntdll!RtlpHpHeapHandleError+0x7a
03 00007ffc`837e2e1c : 00000000`00000048 00000000`40000062 00000000`00000001 0000021a`de3ba8b0 : ntdll!RtlpLogHeapFailure+0x45
04 00007ffc`837e2d0a : 00000000`00000000 00000000`00000000 0000021a`00000000 0000003c`a07e7e38 : ntdll!RtlpReAllocateHeapInternal+0xdc
05 00007ffc`712fc94f : 00000000`00000004 00000000`00000004 00000000`00000000 00000000`00000000 : ntdll!RtlReAllocateHeap+0x5a
06 00007ffc`7125f821 : 0000003c`a07edbf8 00007ffc`837e2e7f 0000021a`dc440000 0000003c`40000062 : igc64!getJITVersion+0x60fc0f
07 00007ffc`7133d660 : 0000003c`a07edbf8 0000003c`a07e7ff0 00000000`00000000 0000003c`a07ecb68 : igc64!getJITVersion+0x572ae1
08 00007ffc`7133ce22 : 0000003c`a07e96b8 00000000`40000060 00000000`00000005 00000000`00000050 : igc64!OpenCompiler12+0x35ed0
09 00007ffc`7133437d : 0000003c`a07e96b8 0000003c`a07e8200 00000000`00000009 0000021a`de3b7f00 : igc64!OpenCompiler12+0x35692
0a 00007ffc`71338844 : 00000000`00000000 0000003c`a07e9680 00000000`00000000 0000003c`00000002 : igc64!OpenCompiler12+0x2cbed
0b 00007ffc`713344e3 : 0000021a`de3abf90 0000021a`de3a354c 0000021a`de3a36c8 0000021a`de3a35f4 : igc64!OpenCompiler12+0x310b4
0c 00007ffc`713341a3 : 00000000`00000000 0000021a`de3ad5e0 0000021a`de3abf90 0000021a`de3a3540 : igc64!OpenCompiler12+0x2cd53
0d 00007ffc`7133406f : 0000021a`de3a354c 0000021a`de3a354c 0000021a`de3a354c 0000021a`de3ab690 : igc64!OpenCompiler12+0x2ca13
0e 00007ffc`7130c37a : 0000021a`de3a5e90 0000021a`de3a66c0 0000021a`de3a66c0 0000021a`de3a66c0 : igc64!OpenCompiler12+0x2c8df
0f 00007ffc`7130b6cd : 00000000`00000000 0000021a`de3a4408 0000003c`a07ee510 00007ffc`837dbabb : igc64!OpenCompiler12+0x4bea
10 00007ffc`7130cbf3 : 0000021a`de3a43d8 00007ffc`75013537 0000021a`de3a4490 00000000`00000000 : igc64!OpenCompiler12+0x3f3d
11 00007ffc`748f7946 : 0000021a`de3a42f0 00000000`00000000 0000021a`de415e70 00000000`00000001 : igc64!OpenCompiler12+0x5463
12 00007ffc`750bb966 : 0000021a`de4213d0 0000021a`de3a3d90 0000021a`de3a5a10 0000003c`a07ee070 : igd10iumd64!OpenAdapter10_2+0x30326
13 00007ffc`7cc28edc : 00000000`00000000 0000021a`de3a3d78 0000021a`de40bf50 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x7f4346
14 00007ffc`7cc3295f : 0000003c`00000001 0000021a`de415e68 0000021a`de3a3d78 0000021a`de40bf50 : d3d11!CPixelShader::CLS::FinalConstruct+0x23c
15 00007ffc`7cc3289a : 0000003c`a07eece0 00007ffc`7cde2388 0000021a`de3a3c10 00000000`0000121c : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
16 00007ffc`7cc1ee58 : 0000021a`de3a3c68 0000003c`a07eece0 0000003c`a07eed10 00007ffc`7cde2388 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x152
17 00007ffc`7cc2b17d : 00000000`00000000 0000021a`de3a3c10 00000000`00000000 00000000`00000000 : d3d11!CDevice::CreateLayeredChild+0xc88
18 00007ffc`7cc2b950 : 0000021a`de3a3c10 00000000`00000009 00000000`00000950 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
19 00007ffc`7cc114f4 : 0000021a`de4050f0 00000000`00000009 0000021a`de3a34b0 0000021a`de405928 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
1a 00007ffc`7cc11463 : 0000021a`de3a34b0 00000000`0000c100 0000003c`a07ef140 00000000`00000000 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x64
1b 00007ffc`7cc111e8 : 0000021a`de405928 0000021a`de3a34b0 00000000`00000378 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x203
1c 00007ff6`9e502593 : 00007ff6`9e575120 00000000`00000000 0000003c`a07ee658 0000003c`a07ef260 : d3d11!CDevice::CreatePixelShader+0x28
1d 00007ff6`9e5042a7 : 00007ff6`9e575258 00000000`00000378 0000021a`de405938 00000000`00000000 : POC_EXEC11+0x2593
1e 00007ff6`9e50c880 : 00000000`00000000 0000021a`dc4a9b54 0000021a`dc481d00 0000021a`00000378 : POC_EXEC11+0x42a7
1f 00007ff6`9e50a8cc : 00000000`00000000 00000000`00000000 00000000`00000001 00007ffc`00000000 : POC_EXEC11+0xc880
20 00007ff6`9e50a26c : 00000000`00000000 004f0050`005c0063 00000000`00000000 00310031`00430045 : POC_EXEC11+0xa8cc
21 00007ff6`9e50324a : 0000021a`dc481d00 00000000`00000000 0000021a`dc481d00 0000021a`dc4591b0 : POC_EXEC11+0xa26c
22 00007ff6`9e52f5aa : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0x324a
23 00007ffc`82497bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0x2f5aa
24 00007ffc`8380ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
25 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
Critical error detected c0000374
(3ea0.37e8): Break instruction exception - code 80000003 (first chance)
ntdll!RtlReportCriticalFailure+0x56:
00007ffc`838991f2 cc int 3
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 1
Key : Analysis.Elapsed.Sec
Value: 113
Key : Analysis.Memory.CommitPeak.Mb
Value: 71
Key : Timeline.OS.Boot.DeltaSec
Value: 193794
Key : Timeline.Process.Start.DeltaSec
Value: 110
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
Timeline: !analyze.Start
Name: <blank>
Time: 2020-01-13T09:20:01.470Z
Diff: 470 mSec
Timeline: Dump.Current
Name: <blank>
Time: 2020-01-13T09:20:01.0Z
Diff: 0 mSec
Timeline: Process.Start
Name: <blank>
Time: 2020-01-13T09:18:11.0Z
Diff: 110000 mSec
Timeline: OS.Boot
Name: <blank>
Time: 2020-01-11T03:30:07.0Z
Diff: 193794000 mSec
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
MODLIST_WITH_TSCHKSUM_HASH: 55cdb3bc7aae3aedb1ba047e3d2dba6243aad2f9
MODLIST_SHA1_HASH: 6ce0e83b6da7c6a553d1e322f42f958f3d7a27e9
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
FAULTING_IP:
ntdll!RtlReportCriticalFailure+56
00007ffc`838991f2 cc int 3
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffc838991f2 (ntdll!RtlReportCriticalFailure+0x0000000000000056)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 1
Parameter[0]: 0000000000000000
FAULTING_THREAD: 000037e8
PROCESS_NAME: POC_EXEC11.exe
ERROR_CODE: (NTSTATUS) 0x80000003 - {WYJ TEK} Punkt przerwania Osi gni to punkt przerwania.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - Co najmniej jeden z argument w jest nieprawid owy.
EXCEPTION_CODE_STR: 80000003
EXCEPTION_PARAMETER1: 0000000000000000
WATSON_BKT_PROCSTAMP: 5e1b04b9
WATSON_BKT_MODULE: ntdll.dll
WATSON_BKT_MODSTAMP: 99ca0526
WATSON_BKT_MODOFFSET: f91f2
WATSON_BKT_MODVER: 10.0.18362.418
MODULE_VER_PRODUCT: Microsoft Windows Operating System
BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_HOST: IAMLEGION
ANALYSIS_SESSION_TIME: 01-13-2020 10:20:01.0470
ANALYSIS_VERSION: 10.0.18914.1001 amd64fre
THREAD_ATTRIBUTES:
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
LAST_CONTROL_TRANSFER: from 00007ffc838a1622 to 00007ffc838991f2
THREAD_SHA1_HASH_MOD_FUNC: a348013f73e28faeecd5caf67b12edc8d29b3900
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 3b90219497e4238a73ec7153d08fbe56e59e8a48
OS_LOCALE: PLK
BUGCHECK_STR: BREAKPOINT_ACTIONABLE_InvalidArgument
DEFAULT_BUCKET_ID: BREAKPOINT_ACTIONABLE_InvalidArgument
PRIMARY_PROBLEM_CLASS: BREAKPOINT
PROBLEM_CLASSES:
ID: [0n321]
Type: [@APPLICATION_FAULT_STRING]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Omit
Data: Add
String: [BREAKPOINT]
PID: [Unspecified]
TID: [Unspecified]
Frame: [0]
ID: [0n261]
Type: [ACTIONABLE]
Class: Addendum
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Add
String: [InvalidArgument]
PID: [Unspecified]
TID: [Unspecified]
Frame: [0]
STACK_TEXT:
00000000`00000000 00000000`00000000 heap_corruption!POC_EXEC11.exe+0x0
THREAD_SHA1_HASH_MOD: ca4e26064d24ef7512d2e94de5a93c38dbe82fe9
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: heap_corruption!POC_EXEC11.exe
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: heap_corruption
IMAGE_NAME: heap_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: !heap ; ** Pseudo Context ** ManagedPseudo ** Value: 200581fbb50 ** ; kb
BUCKET_ID: BREAKPOINT_ACTIONABLE_InvalidArgument_heap_corruption!POC_EXEC11.exe
FAILURE_EXCEPTION_CODE: 80000003
FAILURE_IMAGE_NAME: heap_corruption
BUCKET_ID_IMAGE_STR: heap_corruption
FAILURE_MODULE_NAME: heap_corruption
BUCKET_ID_MODULE_STR: heap_corruption
FAILURE_FUNCTION_NAME: POC_EXEC11.exe
BUCKET_ID_FUNCTION_STR: POC_EXEC11.exe
BUCKET_ID_OFFSET: 0
BUCKET_ID_MODTIMEDATESTAMP: 0
BUCKET_ID_MODCHECKSUM: 0
BUCKET_ID_MODVER_STR: 0.0.0.0
BUCKET_ID_PREFIX_STR: BREAKPOINT_ACTIONABLE_InvalidArgument_
FAILURE_PROBLEM_CLASS: BREAKPOINT
FAILURE_SYMBOL_NAME: heap_corruption!POC_EXEC11.exe
FAILURE_BUCKET_ID: BREAKPOINT_ACTIONABLE_InvalidArgument_80000003_heap_corruption!POC_EXEC11.exe
TARGET_TIME: 2020-01-13T09:21:55.000Z
OSBUILD: 18362
OSSERVICEPACK: 329
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 190318-1202
BUILDLAB_STR: 19h1_release
BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_ELAPSED_TIME: 1bc28
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:breakpoint_actionable_invalidargument_80000003_heap_corruption!poc_exec11.exe
FAILURE_ID_HASH: {a2b58f14-d43c-21d5-b07d-770a03a2bc68}
Followup: MachineOwner
---------
2020-01-27 - Vendor Disclosure
2020-04-01 - Disclosure deadline extended
2020-07-14 - Public Release
Discovered by Piotr Bania of Cisco Talos.