Talos Vulnerability Report

TALOS-2020-0982

Intel IGC64.DLL Shader Functionality HeapReAlloc code execution vulnerability

July 14, 2020
CVE Number

Microsoft Hyper-V/RemoteFX: CVE-2020-1042

Summary

An exploitable double free vulnerability exists in Intel’s IGC64.DLL graphics driver, version 26.20.100.7584. A specially crafted geometry shader can cause a double free vulnerability, leading to arbitrary code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments (e.g. VMware, QEMU, VirtualBox etc.) in order to perform guest-to-host escape - as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. Theoretically, this vulnerability could be also triggered from a web browser (using WebGL and WebAssembly) but Talos has not been able to confirm this.

Tested Versions

Intel IGC64.DLL (Intel Graphics Shader Compiler for Intel(R) Graphics Accelerator), version 26.20.100.7584
Microsoft Hyper-V with RemoteFX enabled (CVE-2020-1042)

Product URLs

http://intel.com

CVSSv3 Score

8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-416: Use After Free

Details

This vulnerability can be triggered by supplying a malformed geometry shader, leading to a double free in the Intel IGC64 driver (this driver is mapped by the affected component, e.g. VMware’s vmware-vmx.exe).

In a specially crafted geometry shader, the operands for the mov bytecode (a shader model instruction), were malformed. Such malformed geometry shader can cause a double free in the Intel’s IGC64 driver.
Already freed heap memory is passed to the HeapReAlloc function, leading to the following exception:

**************************************************************
*                                                            *
*                  HEAP ERROR DETECTED                       *
*                                                            *
**************************************************************

Details:

Heap address:  0000021f26910000
Error address: 0000021f28806ef0
Error type: HEAP_FAILURE_BLOCK_NOT_BUSY
Details:    The caller performed an operation (such as a free
			or a size check) that is illegal on a free block.
Follow-up:  Check the error's stack trace to find the culprit.

	
0:005> !heap -x 0000021f28806ef0
Failed to read heap keySEGMENT HEAP ERROR: failed to initialize the extention
List corrupted: (Blink->Flink = 0000021f26910150) != (Block = 0000021f28824ed0)
HEAP 0000021f26910000 (Seg 0000021f28760000) At 0000021f28824ec0 Error: block list entry corrupted

Where memory at 0000021f28824ec0:

0:005> db 0000021f28824ec0
0000021f`28824ec0  ee fe ee fe ee fe ee fe-10 3a 04 2e cf 92 0d 00  .........:......
0000021f`28824ed0  50 01 91 26 1f 02 00 00-e0 be 81 28 1f 02 00 00  P..&.......(....
0000021f`28824ee0  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0000021f`28824ef0  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0000021f`28824f00  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0000021f`28824f10  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0000021f`28824f20  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0000021f`28824f30  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................	

Magic value 0xFEEEFEEE is used by Microsoft’s HeapFree() to mark freed heap memory, therefore this area was already freed.
This is a Use After Free vulnerability.

Stack trace:

0:005> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffc`838a1622 : 00000000`00000098 00007ffc`839027f0 00000000`00000008 00000279`ec550000 : ntdll!RtlReportCriticalFailure+0x56
01 00007ffc`838a192a : 00000000`00000008 00000279`edfd5800 00000279`ec550000 00000279`ec550000 : ntdll!RtlpHeapHandleError+0x12
02 00007ffc`838aa8e9 : 00000279`ec550000 00000000`00000000 00000000`00000001 00000279`edff1f10 : ntdll!RtlpHpHeapHandleError+0x7a
03 00007ffc`837e2e1c : 00000279`ec550000 00000000`40000062 00000000`00000098 00000279`edff1f10 : ntdll!RtlpLogHeapFailure+0x45
04 00007ffc`837e2d0a : 00000279`edff1df0 00007ffc`7135f8bb 00000000`00000000 00000000`40000060 : ntdll!RtlpReAllocateHeapInternal+0xdc
05 00007ffc`712fc94f : 00000000`00002798 00000000`00000008 00000000`00000000 00000279`40000062 : ntdll!RtlReAllocateHeap+0x5a
06 00007ffc`7125f821 : 00000081`e79ff838 00000000`00000000 00000081`e79f9c19 00007ffc`7136f19b : igc64!getJITVersion+0x60fc0f
07 00007ffc`7133d387 : 00000081`e79fb368 00000081`e79f9ca0 00000000`00000000 00000000`00000050 : igc64!getJITVersion+0x572ae1
08 00007ffc`7133437d : 00000081`e79fb368 00000000`00000000 00000000`00000009 00000279`edff00d0 : igc64!OpenCompiler12+0x35bf7
09 00007ffc`71338844 : 00000000`00000000 00000081`e79fb330 00000000`00000001 00000081`00000000 : igc64!OpenCompiler12+0x2cbed
0a 00007ffc`713344e3 : 00000279`edfd39a0 00000000`00000000 00000279`edfd3dd4 00000279`edfd3a30 : igc64!OpenCompiler12+0x310b4
0b 00007ffc`713341a3 : 00000000`00000000 00000279`edfde710 00000279`edfd39a0 00000000`00000004 : igc64!OpenCompiler12+0x2cd53
0c 00007ffc`7133406f : 00000279`edfd39a0 00000279`edfd39a0 00000279`edfd39a0 00000279`edfdc850 : igc64!OpenCompiler12+0x2ca13
0d 00007ffc`7130e2ab : 00000279`edfdc850 00000279`edfd5890 00000279`edfd2320 00000279`edfd2320 : igc64!OpenCompiler12+0x2c8df
0e 00007ffc`7130af91 : 00000279`edfd2320 00000279`edf81ef0 00000279`edfd2358 00000000`00000010 : igc64!OpenCompiler12+0x6b1b
0f 00007ffc`7130cb63 : 00000000`00000000 00007ffc`75035782 00000000`00000801 00000000`00000000 : igc64!OpenCompiler12+0x3801
10 00007ffc`749b2f63 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000800 : igc64!OpenCompiler12+0x53d3
11 00007ffc`749b0f3d : 00000000`00000000 00007ffc`80ad5d9f 00000279`edfbb5a0 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0xeb943
12 00007ffc`748f5187 : 00000279`edfd4068 00000000`00000000 00000279`edf83300 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0xe991d
13 00007ffc`75028d50 : 00000000`00000000 00000000`00000000 00000279`edfd40a0 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x2db67
14 00007ffc`82497bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x761730
15 00007ffc`8380ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
16 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

Crash Information

0:005> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for POC_EXEC11.exe

KEY_VALUES_STRING: 1

	Key  : Analysis.CPU.Sec
	Value: 1

	Key  : Analysis.Elapsed.Sec
	Value: 74

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 72

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 202245

	Key  : Timeline.Process.Start.DeltaSec
	Value: 3740


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

Timeline: !analyze.Start
	Name: <blank>
	Time: 2020-01-13T11:40:52.32Z
	Diff: 32 mSec

Timeline: Dump.Current
	Name: <blank>
	Time: 2020-01-13T11:40:52.0Z
	Diff: 0 mSec

Timeline: Process.Start
	Name: <blank>
	Time: 2020-01-13T10:38:32.0Z
	Diff: 3740000 mSec

Timeline: OS.Boot
	Name: <blank>
	Time: 2020-01-11T03:30:07.0Z
	Diff: 202245000 mSec


DUMP_CLASS: 2

DUMP_QUALIFIER: 0

MODLIST_WITH_TSCHKSUM_HASH:  72b14d4437af6d09da2d9fe2a592f06ddf20b1ca

MODLIST_SHA1_HASH:  6ce0e83b6da7c6a553d1e322f42f958f3d7a27e9

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_TYPE:  fe

FAULTING_IP: 
ntdll!RtlReportCriticalFailure+56
00007ffc`838991f2 cc              int     3

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffc838991f2 (ntdll!RtlReportCriticalFailure+0x0000000000000056)
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 1
   Parameter[0]: 0000000000000000

FAULTING_THREAD:  00003184

PROCESS_NAME:  POC_EXEC11.exe

ERROR_CODE: (NTSTATUS) 0x80000003 - {WYJ TEK}  Punkt przerwania  Osi gni to punkt przerwania.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - Co najmniej jeden z argument w jest nieprawid owy.

EXCEPTION_CODE_STR:  80000003

EXCEPTION_PARAMETER1:  0000000000000000

WATSON_BKT_PROCSTAMP:  5e1b04b9

WATSON_BKT_MODULE:  ntdll.dll

WATSON_BKT_MODSTAMP:  99ca0526

WATSON_BKT_MODOFFSET:  f91f2

WATSON_BKT_MODVER:  10.0.18362.418

MODULE_VER_PRODUCT:  Microsoft Windows Operating System

BUILD_VERSION_STRING:  18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_HOST:  IAMLEGION

ANALYSIS_SESSION_TIME:  01-13-2020 12:40:52.0032

ANALYSIS_VERSION: 10.0.18914.1001 amd64fre

THREAD_ATTRIBUTES: 
ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Heap_Error_Type] from Frame:[0] on thread:[PSEUDO_THREAD] ; Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 00007ffc838a1622 to 00007ffc838991f2

THREAD_SHA1_HASH_MOD_FUNC:  7f15800cda6f8d6507ab572a70f10ce85127d952

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  32d1b00defaa02b465d15475e9e33a9a77bcd3fa

OS_LOCALE:  PLK

BUGCHECK_STR:  HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE

DEFAULT_BUCKET_ID:  HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE

PRIMARY_PROBLEM_CLASS:  HEAP_CORRUPTION

PROBLEM_CLASSES: 

	ID:     [0n261]
	Type:   [ACTIONABLE]
	Class:  Addendum
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Add
	Data:   Add
			String: [BlockNotBusy]
	PID:    [0x2cb4]
	TID:    [0x3184]
	Frame:  [3] : ntdll!RtlpLogHeapFailure

	ID:     [0n262]
	Type:   [HEAP_CORRUPTION]
	Class:  Primary
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Add
	Data:   Omit
	PID:    [0x2cb4]
	TID:    [0x3184]
	Frame:  [3] : ntdll!RtlpLogHeapFailure

	ID:     [0n260]
	Type:   [DOUBLE_FREE]
	Class:  Addendum
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Add
	Data:   Omit
	PID:    [0x2cb4]
	TID:    [0x3184]
	Frame:  [3] : ntdll!RtlpLogHeapFailure

STACK_TEXT:  
00000000`00000000 00000000`00000000 igc64!getJITVersion+0x0


THREAD_SHA1_HASH_MOD:  21353c7cdde59d4a15ad29c23f4db57c58172e87

FOLLOWUP_IP: 
igc64!getJITVersion+0
00007ffc`70cecd40 c70103000000    mov     dword ptr [rcx],3

FAULT_INSTR_CODE:  301c7

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  igc64!getJITVersion+0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: igc64

IMAGE_NAME:  igc64.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5ddcfccd

STACK_COMMAND:  !heap ; ** Pseudo Context ** ManagedPseudo ** Value: 23be4afef80 ** ; kb

BUCKET_ID:  HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE_igc64!getJITVersion+0

FAILURE_EXCEPTION_CODE:  80000003

FAILURE_IMAGE_NAME:  igc64.dll

BUCKET_ID_IMAGE_STR:  igc64.dll

FAILURE_MODULE_NAME:  igc64

BUCKET_ID_MODULE_STR:  igc64

FAILURE_FUNCTION_NAME:  getJITVersion

BUCKET_ID_FUNCTION_STR:  getJITVersion

BUCKET_ID_OFFSET:  0

BUCKET_ID_MODTIMEDATESTAMP:  5ddcfccd

BUCKET_ID_MODCHECKSUM:  2450ddb

BUCKET_ID_MODVER_STR:  0.0.0.0

BUCKET_ID_PREFIX_STR:  HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE_

FAILURE_PROBLEM_CLASS:  HEAP_CORRUPTION

FAILURE_SYMBOL_NAME:  igc64.dll!getJITVersion

FAILURE_BUCKET_ID:  HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE_80000003_igc64.dll!getJITVersion

TARGET_TIME:  2020-01-13T11:42:06.000Z

OSBUILD:  18362

OSSERVICEPACK:  329

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  190318-1202

BUILDLAB_STR:  19h1_release

BUILDOSVER_STR:  10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME:  1216f

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:heap_corruption_actionable_blocknotbusy_double_free_80000003_igc64.dll!getjitversion

FAILURE_ID_HASH:  {472f4ddc-a1d3-ba89-93bd-3638df38933a}

Followup:     MachineOwner
---------

Timeline

2020-01-27 - Vendor Disclosure
2020-04-01 - Disclosure deadline extended
2020-07-14 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.