Talos Vulnerability Report

TALOS-2024-2014

NVIDIA D3D10 Driver Shader Functionality STORE_STRUCTURED instruction out-of-bounds read vulnerability

October 23, 2024
CVE Number

CVE-2024-0120

SUMMARY

An out-of-bounds read vulnerability exists in the Shader Functionality functionality of NVIDIA D3D10 Driver 555.99, 32.0.15.5599. A specially crafted executable / shader file can lead to an out-of-bounds read. An attacker can provide a specially crafted shader file to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

NVIDIA D3D10 Driver 555.99, 32.0.15.5599

PRODUCT URLS

NVIDIA D3D10 Driver - https://nvidia.com

CVSSv3 SCORE

7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-125 - Out-of-bounds Read

DETAILS

This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape - as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly). We were able to trigger this vulnerability from HYPER-V guest using RemoteFX feature leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently depracated by Microsoft some older machines may still use this software.

To trigger the bug we have modified and corrupted the shaderbyte code coresponding to the “STORE_STRUCTURED” instruction (Random-access write of 1-4 32-bit components into a structured buffer unordered access view (UAV).).

This leads to out-of-bounds memory read situation:

00007FF9EDABBF91 | 41:8B45 28               | mov eax,dword ptr ds:[r13+28]           |
00007FF9EDABBF95 | 8D5F 04                  | lea ebx,qword ptr ds:[rdi+4]            |
00007FF9EDABBF98 | 49:8B4E 20               | mov rcx,qword ptr ds:[r14+20]           |
00007FF9EDABBF9C | 44:8BC8                  | mov r9d,eax                             |
00007FF9EDABBF9F | 894424 70                | mov dword ptr ss:[rsp+70],eax           |
00007FF9EDABBFA3 | 44:8BC7                  | mov r8d,edi                             |
00007FF9EDABBFA6 | 4C:8B91 E0020000         | mov r10,qword ptr ds:[rcx+2E0]          |
00007FF9EDABBFAD | 45:0FB71C42              | movzx r11d,word ptr ds:[r10+rax*2]      | *

The source memory address is computed from the shader bytecode (the RAX register contains the value taken directly from the shader bytecode). Attacker can modify the shaderbyte code in order to force the nvwgf2umx.dll to read arbitrary memory region.

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
nvwgf2umx!NVENCODEAPI_Thunk+0x2538d:
00007ff9`edabbfad 450fb71c42      movzx   r11d,word ptr [r10+rax*2] ds:000002c2`2792f558=????
0:014> r
rax=00000000bbddddcc rbx=0000000000000004 rcx=000002c0afd96b60
rdx=000000cbc33bed98 rsi=00000000000000ff rdi=0000000000000000
rip=00007ff9edabbfad rsp=000000cbc33be8c0 rbp=000000cbc33be9c0
 r8=0000000000000000  r9=00000000bbddddcc r10=000002c0afd739c0
r11=000000cbc33bed40 r12=000000cbc33bee98 r13=000000cbc33bed98
r14=000002c0afd95a10 r15=000000cbc33bef18
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nvwgf2umx!NVENCODEAPI_Thunk+0x2538d:
00007ff9`edabbfad 450fb71c42      movzx   r11d,word ptr [r10+rax*2] ds:000002c2`2792f558=????

Crash Information

	0:014> !analyze -v
	*******************************************************************************
	*                                                                             *
	*                        Exception Analysis                                   *
	*                                                                             *
	*******************************************************************************


	KEY_VALUES_STRING: 1

		Key  : AV.Fault
		Value: Read

		Key  : Analysis.CPU.mSec
		Value: 890

		Key  : Analysis.Elapsed.mSec
		Value: 1320

		Key  : Analysis.IO.Other.Mb
		Value: 0

		Key  : Analysis.IO.Read.Mb
		Value: 0

		Key  : Analysis.IO.Write.Mb
		Value: 0

		Key  : Analysis.Init.CPU.mSec
		Value: 499

		Key  : Analysis.Init.Elapsed.mSec
		Value: 33201

		Key  : Analysis.Memory.CommitPeak.Mb
		Value: 92

		Key  : Failure.Bucket
		Value: INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown

		Key  : Failure.Hash
		Value: {7b367f86-064a-2e05-5dc0-760739d560ad}

		Key  : Timeline.OS.Boot.DeltaSec
		Value: 605523

		Key  : Timeline.Process.Start.DeltaSec
		Value: 33

		Key  : WER.OS.Branch
		Value: vb_release

		Key  : WER.OS.Version
		Value: 10.0.19041.1


	NTGLOBALFLAG:  70

	APPLICATION_VERIFIER_FLAGS:  0

	EXCEPTION_RECORD:  (.exr -1)
	ExceptionAddress: 00007ff9edabbfad (nvwgf2umx!NVENCODEAPI_Thunk+0x000000000002538d)
	   ExceptionCode: c0000005 (Access violation)
	  ExceptionFlags: 00000000
	NumberParameters: 2
	   Parameter[0]: 0000000000000000
	   Parameter[1]: 000002c22792f558
	Attempt to read from address 000002c22792f558

	FAULTING_THREAD:  00006124

	PROCESS_NAME:  POC_EXEC11.exe

	READ_ADDRESS:  000002c22792f558 

	ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

	EXCEPTION_CODE_STR:  c0000005

	EXCEPTION_PARAMETER1:  0000000000000000

	EXCEPTION_PARAMETER2:  000002c22792f558

	STACK_TEXT:  
	000000cb`c33be8c0 00007ff9`edca59af     : 00000000`00000000 000000cb`c33bed98 00000000`00000000 00007bf2`020c6a45 : nvwgf2umx!NVENCODEAPI_Thunk+0x2538d
	000000cb`c33bed20 00007ff9`eda9e1cd     : 00007ff9`edae3a94 000000cb`c33bef30 000002c0`afd95a10 00000000`00000001 : nvwgf2umx!NVAPI_Thunk+0x1a5fef
	000000cb`c33bed60 00007ff9`eda9d063     : 00000000`ea2878a0 000000cb`c33bf2a0 00000000`ea2878a7 00000000`ea287877 : nvwgf2umx!NVENCODEAPI_Thunk+0x75ad
	000000cb`c33bf220 00007ff9`ed9984fa     : 00000000`00000000 00000000`00000000 00000000`00000018 000000cb`c33bf6c0 : nvwgf2umx!NVENCODEAPI_Thunk+0x6443
	000000cb`c33bf2d0 00007ff9`ed999b55     : 000002c0`afd72470 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0x288ea
	000000cb`c33bf3b0 00007ff9`ee1dc58a     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_DirectMethods+0x29f45
	000000cb`c33bf690 00007ff9`ee1dc2a8     : 00000000`00000000 000002c0`ade20440 00000000`00000000 000002c0`afe6d458 : nvwgf2umx!NVDEV_Thunk+0x8b17a
	000000cb`c33bf7a0 00007ff9`ee150f73     : 00000000`00000000 00000000`00000000 000002c0`afd722d0 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x8ae98
	000000cb`c33bf850 00007ff9`ee150e6f     : 00000000`00000000 000002c0`afd4ac60 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x1210e3
	000000cb`c33bf8a0 00007ff9`ee7be1fe     : 000002c0`afd4ac60 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x120fdf
	000000cb`c33bf8d0 00007ffa`e9637344     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!SetDependencyInfo+0x43ad5e
	000000cb`c33bf900 00007ffa`ea2c26b1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
	000000cb`c33bf930 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


	SYMBOL_NAME:  nvwgf2umx+2538d

	MODULE_NAME: nvwgf2umx

	IMAGE_NAME:  nvwgf2umx.dll

	STACK_COMMAND:  ~14s ; .cxr ; kb

	FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown

	BUCKET_ID_MODPRIVATE: 1

	OS_VERSION:  10.0.19041.1

	BUILDLAB_STR:  vb_release

	OSPLATFORM_TYPE:  x64

	OSNAME:  Windows 10

	IMAGE_VERSION:  32.0.15.5599

	FAILURE_ID_HASH:  {7b367f86-064a-2e05-5dc0-760739d560ad}

	Followup:     MachineOwner
	---------
TIMELINE

2024-07-04 - Vendor Disclosure
2024-10-22 - Vendor Patch Release
2024-10-23 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.

TALOS-2024-2015