CVE-2022-28182
A memory corruption vulnerability exists in the shader DCL_RESOURCE_STRUCTURED functionality of NVIDIA D3D10 Driver, version 496.76, 30.0.14.9676. A specially-crafted executable/shader file can lead to an out-of-bounds write. This vulnerability potentially could be triggered from guest machines running virtualization environments (i.e. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape, as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly).
NVIDIA D3D10 Driver 496.76, 30.0.14.9676
D3D10 Driver - https://nvidia.com
8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-787 - Out-of-bounds Write
NVIDIA Graphics drivers is software for NVIDIA Graphics GPU installed on the PC. It is used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.
We were able to trigger this vulnerability from HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently deprecated by Microsoft some older machines may still use this software (for example, those running an older version of Windows Server).
This vulnerability can be triggered by supplying a malformed compute shader. This leads to a memory corruption problem in NVIDIA driver.
Example of compute shader triggering the bug:
cs_5_0
dcl_global_flags refactoringAllowed
dcl_constant_buffer cb0[2].xyzw, immediateIndexed
dcl_resource_structured resource[-858993460]
...
By modifying the dcl_resource_structured opcode operands, an attacker is able to trigger a memory corruption vulnerability in the NVIDIA graphics driver.
The attacker can partially control the destination address by modifying the shader’s bytecode.
00007FFAF45B1DA9 | 49:6BFF 34 | imul rdi,r15,34 |
00007FFAF45B1DAD | 0F1000 | movups xmm0,xmmword ptr ds:[rax] |
00007FFAF45B1DB0 | 8B8424 A8000000 | mov eax,dword ptr ss:[rsp+A8] |
00007FFAF45B1DB7 | 44:8BBC24 A0000000 | mov r15d,dword ptr ss:[rsp+A0] |
00007FFAF45B1DBF | 0F114439 04 | movups xmmword ptr ds:[rcx+rdi+4],xmm0 |
R15 register above is based on the data from the shader file. It is later used for calculating a memory destination address used by the movups instruction.
The attacker can control the memory write address.
nvwgf2umx+0x71dbf:
00007ffa`f45b1dbf 0f11443904 movups xmmword ptr [rcx+rdi+4],xmm0 ds:00000209`6f87b0f4=????????????????????????????????
Stack trace:
0:012> kb
# RetAddr : Args to Child : Call Site
00 00007ffa`f4a6c47e : 00000000`cccccccc 00000000`00000001 00000213`d60cbc90 00007ffb`00000000 : nvwgf2umx+0x71dbf
01 00007ffa`f4872fff : 00007ffa`f48b8a48 0000005b`8473f280 00000213`d60cbc90 00000000`d3fb0000 : nvwgf2umx!NVDEV_Thunk+0x24883e
02 00007ffa`f4871cf3 : 00000000`d3fb00a2 0000005b`8473f280 00000000`d3fb00a2 00000213`d60eede0 : nvwgf2umx!NVDEV_Thunk+0x4f3bf
03 00007ffa`f45fb0b0 : 00000000`00000005 00000000`00000000 00000213`d5ee2290 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x4e0b3
04 00007ffa`f45fc686 : 00000213`d60eede0 00000213`d60ad2d0 00000213`d60ad2e0 00000000`00000000 : nvwgf2umx+0xbb0b0
05 00007ffa`f49908e5 : 00000000`00000000 00000213`d60aaf20 00000000`00000000 00000000`00000000 : nvwgf2umx+0xbc686
06 00007ffa`f4990698 : 00000000`00000000 00000213`d6040c80 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x16cca5
07 00007ffa`f4aaf87c : 00000213`d5fb8bc0 00000000`00000000 00000213`d5fb8bc0 00000000`fffffff1 : nvwgf2umx!NVDEV_Thunk+0x16ca58
08 00007ffa`f5828d58 : 00000000`00000000 00000000`00000000 00000213`d609f680 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x28bc3c
09 00007ffb`531d7034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x5b2f48
0a 00007ffb`53e82651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0b 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for POC_EXEC11.exe
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Write
Key : Analysis.CPU.Sec
Value: 1
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on IAMLEGION
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 42
Key : Analysis.Memory.CommitPeak.Mb
Value: 79
Key : Analysis.System
Value: CreateObject
Key : Timeline.OS.Boot.DeltaSec
Value: 364352
Key : Timeline.Process.Start.DeltaSec
Value: 61
NTGLOBALFLAG: 470
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffaf45b1dbf (nvwgf2umx+0x0000000000071dbf)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 000002096f87b0f4
Attempt to write to address 000002096f87b0f4
FAULTING_THREAD: 000036a8
PROCESS_NAME: POC_EXEC11.exe
WRITE_ADDRESS: 000002096f87b0f4
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 000002096f87b0f4
STACK_TEXT:
0000005b`8473ec60 00007ffa`f4a6c47e : 00000000`cccccccc 00000000`00000001 00000213`d60cbc90 00007ffb`00000000 : nvwgf2umx+0x71dbf
0000005b`8473ece0 00007ffa`f4872fff : 00007ffa`f48b8a48 0000005b`8473f280 00000213`d60cbc90 00000000`d3fb0000 : nvwgf2umx!NVDEV_Thunk+0x24883e
0000005b`8473ed50 00007ffa`f4871cf3 : 00000000`d3fb00a2 0000005b`8473f280 00000000`d3fb00a2 00000213`d60eede0 : nvwgf2umx!NVDEV_Thunk+0x4f3bf
0000005b`8473f200 00007ffa`f45fb0b0 : 00000000`00000005 00000000`00000000 00000213`d5ee2290 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x4e0b3
0000005b`8473f2c0 00007ffa`f45fc686 : 00000213`d60eede0 00000213`d60ad2d0 00000213`d60ad2e0 00000000`00000000 : nvwgf2umx+0xbb0b0
0000005b`8473f3c0 00007ffa`f49908e5 : 00000000`00000000 00000213`d60aaf20 00000000`00000000 00000000`00000000 : nvwgf2umx+0xbc686
0000005b`8473f830 00007ffa`f4990698 : 00000000`00000000 00000213`d6040c80 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x16cca5
0000005b`8473f940 00007ffa`f4aaf87c : 00000213`d5fb8bc0 00000000`00000000 00000213`d5fb8bc0 00000000`fffffff1 : nvwgf2umx!NVDEV_Thunk+0x16ca58
0000005b`8473f9f0 00007ffa`f5828d58 : 00000000`00000000 00000000`00000000 00000213`d609f680 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x28bc3c
0000005b`8473fa40 00007ffb`531d7034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x5b2f48
0000005b`8473fa70 00007ffb`53e82651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0000005b`8473faa0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
SYMBOL_NAME: nvwgf2umx+71dbf
MODULE_NAME: nvwgf2umx
IMAGE_NAME: nvwgf2umx.dll
STACK_COMMAND: ~12s ; .cxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_nvwgf2umx.dll!Unknown
BUCKET_ID_MODPRIVATE: 1
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {4468a1dc-4a01-79b1-d906-401b585901d4}
Followup: MachineOwner
---------
2022-01-13 - Vendor Disclosure
2022-05-16 - Public Release
2022-05-16 - Vendor Patch Release
Discovered by Piotr Bania of Cisco Talos.