CVE-2018-6251
An exploitable heap memory corruption vulnerability exists in the NVIDIA D3D10 Driver 22.21.13.8607. A specially crafted pixel shader can cause heap memory corruption, resulting in at least denial of service, and potential code execution. An attacker can provide a specially crafted shader file (either in binary or text form) to trigger this vulnerability. This vulnerability is present in the Nvidia Driver and can be triggered on a regular system as well as from a VMware guest, and the VMware host will be affected (potentially leading to VMware crash or guest-to-host escape)
NVIDIA nvwgf2umx.dll 22.21.13.8607 (x64) on Windows 10 x64 VMware Workstation 14 (14.0.0 build-6661328) with Windows 10 x64 as guestVM
9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-122: Heap-based Buffer Overflow
This vulnerability can be triggered by supplying a malformed pixel shader (in text or binary form) to the NVIDIA nvwgf2umx.dll driver. Such an attack can be triggered from a local machine (usermode), from a VMware guest usermode (to cause memory corruption on VMware host) or theoretically through WEBGL (remote website) — assuming the browser will not use ANGLE, and will somehow supply the malformed shader to the vulnerable NVIDIA driver.
A specifically crafted shader file causes the nvwgf2umx.dll driver to write data beyond the designated heap memory region. This happens in the following code:
.text:000000000018DA7F mov r8d, ebx
.text:000000000018DA82 lea rcx, [rdi+28h] ; rcx = 1st arg ->
.text:000000000018DA82 ; [rcx] = heap buffer
.text:000000000018DA82 ; [rcx+8] = index
.text:000000000018DA86 mov edx, esi
.text:000000000018DA88 call preBUG_BUG
.text:000000000018DA88
.text:000000000018DA8D
...
.text:000000000025C780 preBUG_BUG
...
.text:000000000025C7A1 mov eax, [rbx+8] ; [rbx+8] -> index
.text:000000000025C7A4 xor edx, edx
.text:000000000025C7A6 imul rcx, rax, 0B0h ; rcx = rax * 0xB0
.text:000000000025C7AD mov r8d, 0B0h
.text:000000000025C7B3 add rcx, [rbx] ; rcx = dest heap memory region
.text:000000000025C7B3 ; calculated from heap_buffer + (index * 0xB0)
.text:000000000025C7B6 call corrupt_1 ;
.text:000000000025C7BB mov eax, [rbx+8] ; again
.text:000000000025C7BE imul rcx, rax, 0B0h
.text:000000000025C7C5 mov rax, [rbx]
.text:000000000025C7C8 mov dword ptr [rcx+rax], 1 ; 2
...
.text:000000000025C83A inc dword ptr [rbx+8] ; inc++
.text:000000000025C83D xor eax, eax
.text:000000000025C83F
.text:000000000025C83F loc_25C83F: ; CODE XREF: preBUG_BUG+1B^j
.text:000000000025C83F ; preBUG_BUG+B8^j
.text:000000000025C83F mov rbx, [rsp+38h+arg_0]
.text:000000000025C844 add rsp, 30h
.text:000000000025C848 pop rdi
.text:000000000025C849 retn
.text:000000000025C849 preBUG_BUG endp
Note how the heap destination region is calculated (instructions at 0x025C7A6-0x25C7B3). As you can see, there is an index value that is increased every time the “preBUG_BUG” function is called (instruction at 0x25C83A). This index is multiplied by 0xB0 (imul instruction) and added to the correct heap memory region address. This calculated memory address is used for further write operations.
An attacker can control the number of times this function (preBUG_BUG) will be executed. This is achieved by the structure of the supplied shader itself. Therefore, when the index is high enough, a memory corruption will occur. The memory corruption itself is done through memset(dest, 0, 0xB0) inside a different function, and by single dword memory writes, like at 0x25C7C8. Whether such “limited” control for the attacker is enough to turn this bug into code execution is questionable, but cannot be excluded entirely.
...
before call preBUG_BUG @rcx(=rbx)=0x000001e7efe15fb8 [rcx]=0x000001e7f04321d0 [rcx+8]=0x000001e60000003f
after call preBUG_BUG
before call preBUG_BUG @rcx(=rbx)=0x000001e7efe15fb8 [rcx]=0x000001e7f04321d0 [rcx+8]=0x000001e600000040
after call preBUG_BUG
...
Critical error detected c0000374
(29a8.2cd0): Break instruction exception - code 80000003 (first chance)
ntdll!RtlReportCriticalFailure+0x56:
00007ff9`7b80878a cc int 3
0:014> !heap -v -s
**************************************************************
* *
* HEAP ERROR DETECTED *
* *
**************************************************************
Details:
Heap address: 000001e606210000
Error address: 000001e7f0434dd0
Last known valid blocks: before - 000001e7f04321c0, after - 000001e7f0436040
Error type: HEAP_FAILURE_BUFFER_OVERRUN
Details: The heap manager detected an error whose features are
consistent with a buffer overrun.
Follow-up: Enable pageheap.
Stack trace:
00007ff97b73eea8: ntdll!RtlpFreeHeap+0x00000000000011e8
00007ff97b736a99: ntdll!RtlFreeHeap+0x0000000000000409
00007ff93f63f950: nvwgf2umx!NVAPI_Thunk+0x000000000079e920
00007ff93e8ac489: nvwgf2umx!OpenAdapter12+0x00000000002384f9
00007ff93e684aef: nvwgf2umx!OpenAdapter12+0x0000000000010b5f
00007ff93e684d91: nvwgf2umx!OpenAdapter12+0x0000000000010e01
00007ff93e814091: nvwgf2umx!OpenAdapter12+0x00000000001a0101
00007ff93f20cba0: nvwgf2umx!NVAPI_Thunk+0x000000000036bb70
00007ff93f2080b7: nvwgf2umx!NVAPI_Thunk+0x0000000000367087
00007ff97515ec93: D3D11!CPixelShader::CLS::FinalConstruct+0x0000000000000223
00007ff9751667b8: D3D11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0x00000000000000c8
00007ff975165ac5: D3D11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x000000000000016d
00007ff9751328ac: D3D11!CDevice::CreateLayeredChild+0x0000000000001ffc
00007ff97514fa78: D3D11!NDXGI::CDevice::CreateLayeredChild+0x0000000000000298
00007ff97514bb3c: D3D11!NOutermost::CDevice::CreateLayeredChild+0x000000000000025c
00007ff975135798: D3D11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x000000000000006c
0:014> db 0x000001e7f04321d0+(0x40 * 0xB0)
000001e7`f0434dd0 01 00 00 00 81 00 00 00-82 00 00 00 00 00 00 00 ................
000001e7`f0434de0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001e7`f0434df0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001e7`f0434e00 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001e7`f0434e10 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001e7`f0434e20 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001e7`f0434e30 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001e7`f0434e40 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
(VMware workstation without gflags set)
0:014> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Module load completed but symbols could not be loaded for K:\tools\vmware\x64\vmware-vmx-debug.exe
GetUrlPageData2 (WinHttp) failed: 12002.
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
ntdll!RtlReportCriticalFailure+56
00007ff9`7b80878a cc int 3
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ff97b80878a (ntdll!RtlReportCriticalFailure+0x0000000000000056)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 1
Parameter[0]: 0000000000000000
FAULTING_THREAD: 00002cd0
BUGCHECK_STR: BREAKPOINT
DEFAULT_BUCKET_ID: BREAKPOINT
PROCESS_NAME: vmware-vmx-debug.exe
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
EXCEPTION_CODE_STR: 80000003
EXCEPTION_PARAMETER1: 0000000000000000
WATSON_BKT_PROCSTAMP: 59bfca5c
WATSON_BKT_PROCVER: 14.0.0.24051
PROCESS_VER_PRODUCT: VMware Workstation
WATSON_BKT_MODULE: ntdll.dll
WATSON_BKT_MODSTAMP: 6dead514
WATSON_BKT_MODOFFSET: f878a
WATSON_BKT_MODVER: 10.0.16299.192
MODULE_VER_PRODUCT: MicrosoftÆ WindowsÆ Operating System
BUILD_VERSION_STRING: 10.0.16299.15 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: d324a5816e027ccac6c968a73e12862c54588920
MODLIST_SHA1_HASH: 8ff41397b04bf015e5036dd1a59e7c32bdf3a3d2
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: CLAB
ANALYSIS_SESSION_TIME: 01-11-2018 11:29:29.0242
ANALYSIS_VERSION: 10.0.16299.15 amd64fre
THREAD_ATTRIBUTES:
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
THREAD_SHA1_HASH_MOD_FUNC: 07047ca36effb8368d08f479e78df03e744877f5
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 532a8d6237e583dd4ba3779a968c9c330867fa53
OS_LOCALE: ENU
PROBLEM_CLASSES:
ID: [0n309]
Type: [@APPLICATION_FAULT_STRING]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Omit
Data: Add
String: [BREAKPOINT]
PID: [Unspecified]
TID: [Unspecified]
Frame: [0]
PRIMARY_PROBLEM_CLASS: BREAKPOINT
LAST_CONTROL_TRANSFER: from 00007ff97b80fd0a to 00007ff97b80878a
STACK_TEXT:
00000000`00000000 00000000`00000000 heap_corruption!vmware-vmx-debug.exe+0x0
THREAD_SHA1_HASH_MOD: ca4e26064d24ef7512d2e94de5a93c38dbe82fe9
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: heap_corruption!vmware-vmx-debug.exe
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: heap_corruption
IMAGE_NAME: heap_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: !heap ; ** Pseudo Context ** ManagedPseudo ** Value: 1f4ad34ea40 ** ; kb
BUCKET_ID: BREAKPOINT_heap_corruption!vmware-vmx-debug.exe
FAILURE_EXCEPTION_CODE: 80000003
FAILURE_IMAGE_NAME: heap_corruption
BUCKET_ID_IMAGE_STR: heap_corruption
FAILURE_MODULE_NAME: heap_corruption
BUCKET_ID_MODULE_STR: heap_corruption
FAILURE_FUNCTION_NAME: vmware-vmx-debug.exe
BUCKET_ID_FUNCTION_STR: vmware-vmx-debug.exe
BUCKET_ID_OFFSET: 0
BUCKET_ID_MODTIMEDATESTAMP: 0
BUCKET_ID_MODCHECKSUM: 0
BUCKET_ID_MODVER_STR: 0.0.0.0
BUCKET_ID_PREFIX_STR: BREAKPOINT_
FAILURE_PROBLEM_CLASS: BREAKPOINT
FAILURE_SYMBOL_NAME: heap_corruption!vmware-vmx-debug.exe
FAILURE_BUCKET_ID: BREAKPOINT_80000003_heap_corruption!vmware-vmx-debug.exe
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/vmware-vmx-
debug.exe/14.0.0.24051/59bfca5c/ntdll.dll/10.0.16299.192/6dead514/80000003/000f878a.htm?Retriage=1
TARGET_TIME: 2018-01-11T10:29:34.000Z
OSBUILD: 16299
OSSERVICEPACK: 15
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: 1976-06-22 08:45:20
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.16299.15
ANALYSIS_SESSION_ELAPSED_TIME: 65ea
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:breakpoint_80000003_heap_corruption!vmware-vmx-debug.exe
FAILURE_ID_HASH: {40137b19-9790-906b-ba12-c68e4e0b8ab9}
Followup: MachineOwner
---------
0:014> !heap -v -s
**************************************************************
* *
* HEAP ERROR DETECTED *
* *
**************************************************************
Details:
Heap address: 000001e606210000
Error address: 000001e7f0434dd0
Last known valid blocks: before - 000001e7f04321c0, after - 000001e7f0436040
Error type: HEAP_FAILURE_BUFFER_OVERRUN
Details: The heap manager detected an error whose features are
consistent with a buffer overrun.
Follow-up: Enable pageheap.
Stack trace:
00007ff97b73eea8: ntdll!RtlpFreeHeap+0x00000000000011e8
00007ff97b736a99: ntdll!RtlFreeHeap+0x0000000000000409
00007ff93f63f950: nvwgf2umx!NVAPI_Thunk+0x000000000079e920
00007ff93e8ac489: nvwgf2umx!OpenAdapter12+0x00000000002384f9
00007ff93e684aef: nvwgf2umx!OpenAdapter12+0x0000000000010b5f
00007ff93e684d91: nvwgf2umx!OpenAdapter12+0x0000000000010e01
00007ff93e814091: nvwgf2umx!OpenAdapter12+0x00000000001a0101
00007ff93f20cba0: nvwgf2umx!NVAPI_Thunk+0x000000000036bb70
00007ff93f2080b7: nvwgf2umx!NVAPI_Thunk+0x0000000000367087
00007ff97515ec93: D3D11!CPixelShader::CLS::FinalConstruct+0x0000000000000223
00007ff9751667b8: D3D11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0x00000000000000c8
00007ff975165ac5: D3D11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x000000000000016d
00007ff9751328ac: D3D11!CDevice::CreateLayeredChild+0x0000000000001ffc
00007ff97514fa78: D3D11!NDXGI::CDevice::CreateLayeredChild+0x0000000000000298
00007ff97514bb3c: D3D11!NOutermost::CDevice::CreateLayeredChild+0x000000000000025c
00007ff975135798: D3D11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x000000000000006c
; standalone app with gflags set (non virtualized environment)
0:007> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
nvwgf2umx!NVAPI_Thunk+77de79
00007ff9`3f61eea9 f3aa rep stos byte ptr [rdi]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ff93f61eea9 (nvwgf2umx!NVAPI_Thunk+0x000000000077de79)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000028d7972f000
Attempt to write to address 0000028d7972f000
FAULTING_THREAD: 000027d4
PROCESS_NAME: SampleDX10.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 0000028d7972f000
FOLLOWUP_IP:
nvwgf2umx!NVAPI_Thunk+77de79
00007ff9`3f61eea9 f3aa rep stos byte ptr [rdi]
WRITE_ADDRESS: 0000028d7972f000
WATSON_BKT_PROCSTAMP: 5a560624
WATSON_BKT_MODULE: nvwgf2umx.dll
WATSON_BKT_MODSTAMP: 5a395c58
WATSON_BKT_MODOFFSET: fbeea9
WATSON_BKT_MODVER: 22.21.13.8607
MODULE_VER_PRODUCT: NVIDIA D3D10 drivers
BUILD_VERSION_STRING: 10.0.16299.15 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: 19374f54c72ce7f0180fd805008defc414e147af
MODLIST_SHA1_HASH: 6d5dcfe7f2d1a6b2f918e0d0fce4573bf4e39f70
NTGLOBALFLAG: 2000100
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 81643027
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
APPLICATION_VERIFIER_LOADED: 1
ANALYSIS_SESSION_HOST: CLAB
ANALYSIS_SESSION_TIME: 01-11-2018 12:59:07.0024
ANALYSIS_VERSION: 10.0.16299.15 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: ENU
PROBLEM_CLASSES:
ID: [0n301]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x27d4]
Frame: [0] : nvwgf2umx!NVAPI_Thunk
ID: [0n274]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x27d4]
Frame: [0] : nvwgf2umx!NVAPI_Thunk
ID: [0n92]
Type: [AVRF]
Class: Addendum
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0x1b68]
TID: [0x27d4]
Frame: [0] : nvwgf2umx!NVAPI_Thunk
ID: [0n111]
Type: [EXPLOITABLE]
Class: Addendum
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0x1b68]
TID: [0x27d4]
Frame: [0] : nvwgf2umx!NVAPI_Thunk
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_AVRF
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE_EXPLOITABLE_AVRF
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 00007ff93e8ac7bb to 00007ff93f61eea9
STACK_TEXT:
00000090`37b9f1f8 00007ff9`3e8ac7bb : 00000000`00000000 00000000`00000000 7fffffff`ffffffff 00000000`00000001 :
nvwgf2umx!NVAPI_Thunk+0x77de79
00000090`37b9f200 00007ff9`3e7dda8d : 00000000`00050000 00000000`00000000 00000000`00050000 0000028d`796ea640 :
nvwgf2umx!OpenAdapter12+0x23882b
00000090`37b9f240 00007ff9`3e7d1fe7 : 0000028d`796ea640 00000000`00000000 00000000`00000000 0000028d`796ea640 :
nvwgf2umx!OpenAdapter12+0x169afd
00000090`37b9f3a0 00007ff9`3e7d1194 : 00000000`00000065 00000000`00000036 00000090`37b9f8b0 0000028d`796e55a0 :
nvwgf2umx!OpenAdapter12+0x15e057
00000090`37b9f830 00007ff9`3e6848e3 : 0000028d`79714bc0 00000090`37b9fa38 00000000`00000000 00000000`00000000 :
nvwgf2umx!OpenAdapter12+0x15d204
00000090`37b9f8f0 00007ff9`3e684d91 : 00000000`00000000 00007ff9`77ec3a80 00000000`000000bc 00007ff9`77ec3b2f :
nvwgf2umx!OpenAdapter12+0x10953
00000090`37b9f9d0 00007ff9`3e8b7996 : 0000028d`76939900 00007ff9`62cc7499 00000000`00000000 0000028d`796d6cc0 :
nvwgf2umx!OpenAdapter12+0x10e01
00000090`37b9fac0 00007ff9`3e9208ff : 0000028d`796e8fc0 00000000`00000001 00000000`00000000 0000028d`78ce6b90 :
nvwgf2umx!OpenAdapter12+0x243a06
00000090`37b9fb70 00007ff9`3e92083f : 0000028d`78ce6d28 00000000`00000000 00000000`00000000 00000000`00000000 :
nvwgf2umx!OpenAdapter12+0x2ac96f
00000090`37b9fbb0 00007ff9`3f636821 : 0000028d`79486fd0 0000028d`79486fd0 00000000`00000000 00000000`00000000 :
nvwgf2umx!OpenAdapter12+0x2ac8af
00000090`37b9fbe0 00007ff9`62cced34 : 0000028d`6e3e1fc0 00000000`00000000 00000000`00000000 00000000`00000000 :
nvwgf2umx!NVAPI_Thunk+0x7957f1
00000090`37b9fc10 00007ff9`7ac31fe4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
vfbasics!AVrfpStandardThreadFunction+0x44
00000090`37b9fc50 00007ff9`7b77efb1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
KERNEL32!BaseThreadInitThunk+0x14
00000090`37b9fc80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
ntdll!RtlUserThreadStart+0x21
STACK_COMMAND: ~7s ; .cxr ; kb
THREAD_SHA1_HASH_MOD_FUNC: d4a848f7cf8f28c393c8f892ffc126f817f50c8b
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 9909c28e91814d594e2f6129cc353a48da500291
THREAD_SHA1_HASH_MOD: 17e0877601acb0b895b4661be06fea469326e60b
FAULT_INSTR_CODE: 8b48aaf3
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nvwgf2umx!NVAPI_Thunk+77de79
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nvwgf2umx
IMAGE_NAME: nvwgf2umx.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5a395c58
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_EXPLOITABLE_AVRF_c0000005_nvwgf2umx.dll!NVAPI_Thunk
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_AVRF_nvwgf2umx!NVAPI_Thunk+77de79
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: nvwgf2umx.dll
BUCKET_ID_IMAGE_STR: nvwgf2umx.dll
FAILURE_MODULE_NAME: nvwgf2umx
BUCKET_ID_MODULE_STR: nvwgf2umx
FAILURE_FUNCTION_NAME: NVAPI_Thunk
BUCKET_ID_FUNCTION_STR: NVAPI_Thunk
BUCKET_ID_OFFSET: 77de79
BUCKET_ID_MODPRIVATE: 1
BUCKET_ID_MODTIMEDATESTAMP: 5a395c58
BUCKET_ID_MODCHECKSUM: 1934a09
BUCKET_ID_MODVER_STR: 22.21.13.8607
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_AVRF_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: nvwgf2umx.dll!NVAPI_Thunk
TARGET_TIME: 2018-01-11T11:59:08.000Z
OSBUILD: 16299
OSSERVICEPACK: 15
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: 1976-06-22 08:45:20
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.16299.15
ANALYSIS_SESSION_ELAPSED_TIME: 658
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_exploitable_avrf_c0000005_nvwgf2umx.dll!nvapi_thunk
FAILURE_ID_HASH: {b2ac358b-d8f3-ac8e-1c53-e0f6a04b51c7}
Followup: MachineOwner
---------
0:007> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at nvwgf2umx!NVAPI_Thunk+0x000000000077de79
(Hash=0x982d6a78.0x949f2650)
2018-01-22 - Vendor Disclosure
2018-03-28 - Public Release
Discovered by Piotr Bania of Cisco Talos