Talos Vulnerability Report

TALOS-2020-0981

Intel IGC64.DLL shader functionality realloc code execution vulnerability

July 14, 2020
CVE Number

Microsoft Hyper-V/RemoteFX: CVE-2020-1041

Summary

An exploitable pointer corruption vulnerability exists in Intel’s IGC64.DLL graphics driver, version 26.20.100.7584. A specially crafted vertex shader can corrupt a pointer, which could lead to arbitrary code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments (e.g. VMware, QEMU, VirtualBox etc.) in order to perform guest-to-host escape - as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. Theoretically, this vulnerability could be also triggered from a web browser (using WebGL and WebAssembly) but Talos has not been able to confirm this.

Tested Versions

Intel IGC64.DLL (Intel Graphics Shader Compiler for Intel(R) Graphics Accelerator), version 26.20.100.7584
Microsoft Hyper-V with RemoteFX enabled (CVE-2020-1041)

Product URLs

http://intel.com

CVSSv3 Score

8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-590: Free of Memory not on the Heap

Details

This vulnerability can be triggered by supplying a malformed vertex shader, leading to a memory corruption in the Intel IGC64 driver (this driver is mapped by the affected component, e.g. VMware’s vmware-vmx.exe).

Example of pixel shader triggering the bug:

36 00 00 05 22 00 10 00 01 00 00 00 06 00 10 00 03 00 00 00 mov r1.y, r3.xxxx
                                       ^^^^^^^^

By corrupting the instruction operands, it is possible to change the pointer which will be used as an argument for the REALLOC function.
For example, in this case the return address (written by call function) will be used as an argument for the REALLOC function:

Sample debugger output:

HEAP[POC_EXEC11_VENDOR_ONLY.exe]: Invalid address specified to RtlValidateHeap( 000001793A680000, 00007FFC713341A3 )
(1c14.f00): Break instruction exception - code 80000003 (first chance)
ntdll!RtlpBreakPointHeap+0x16:
00007ffc`838a63b6 cc              int     3

0:000> u 00007FFC713341A3
igc64!OpenCompiler12+0x2ca13:
00007ffc`713341a3 488d4c2420      lea     rcx,[rsp+20h]
00007ffc`713341a8 e8a3f4ffff      call    igc64!OpenCompiler12+0x2bec0 (00007ffc`71333650)
00007ffc`713341ad 488b8c24e0000000 mov     rcx,qword ptr [rsp+0E0h]
00007ffc`713341b5 4833cc          xor     rcx,rsp
00007ffc`713341b8 e8d33efaff      call    igc64!getJITVersion+0x5eb350 (00007ffc`712d8090)
00007ffc`713341bd 488b9c2408010000 mov     rbx,qword ptr [rsp+108h]
00007ffc`713341c5 4881c4f0000000  add     rsp,0F0h
00007ffc`713341cc 5f              pop     rdi

Stack trace:

0:000> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffc`838a1622 : 00000000`00000001 00007ffc`839027f0 00000000`00000009 0000021a`dc440000 : ntdll!RtlReportCriticalFailure+0x56
01 00007ffc`838a192a : 00000000`00000009 00007ffc`713341a3 0000021a`dc440000 00000000`00000001 : ntdll!RtlpHeapHandleError+0x12
02 00007ffc`838aa8e9 : 0000021a`dc440000 00000000`00000000 0000021a`dc440000 0000021a`dc440000 : ntdll!RtlpHpHeapHandleError+0x7a
03 00007ffc`837e2e1c : 00000000`00000048 00000000`40000062 00000000`00000001 0000021a`de3ba8b0 : ntdll!RtlpLogHeapFailure+0x45
04 00007ffc`837e2d0a : 00000000`00000000 00000000`00000000 0000021a`00000000 0000003c`a07e7e38 : ntdll!RtlpReAllocateHeapInternal+0xdc
05 00007ffc`712fc94f : 00000000`00000004 00000000`00000004 00000000`00000000 00000000`00000000 : ntdll!RtlReAllocateHeap+0x5a
06 00007ffc`7125f821 : 0000003c`a07edbf8 00007ffc`837e2e7f 0000021a`dc440000 0000003c`40000062 : igc64!getJITVersion+0x60fc0f
07 00007ffc`7133d660 : 0000003c`a07edbf8 0000003c`a07e7ff0 00000000`00000000 0000003c`a07ecb68 : igc64!getJITVersion+0x572ae1
08 00007ffc`7133ce22 : 0000003c`a07e96b8 00000000`40000060 00000000`00000005 00000000`00000050 : igc64!OpenCompiler12+0x35ed0
09 00007ffc`7133437d : 0000003c`a07e96b8 0000003c`a07e8200 00000000`00000009 0000021a`de3b7f00 : igc64!OpenCompiler12+0x35692
0a 00007ffc`71338844 : 00000000`00000000 0000003c`a07e9680 00000000`00000000 0000003c`00000002 : igc64!OpenCompiler12+0x2cbed
0b 00007ffc`713344e3 : 0000021a`de3abf90 0000021a`de3a354c 0000021a`de3a36c8 0000021a`de3a35f4 : igc64!OpenCompiler12+0x310b4
0c 00007ffc`713341a3 : 00000000`00000000 0000021a`de3ad5e0 0000021a`de3abf90 0000021a`de3a3540 : igc64!OpenCompiler12+0x2cd53
0d 00007ffc`7133406f : 0000021a`de3a354c 0000021a`de3a354c 0000021a`de3a354c 0000021a`de3ab690 : igc64!OpenCompiler12+0x2ca13
0e 00007ffc`7130c37a : 0000021a`de3a5e90 0000021a`de3a66c0 0000021a`de3a66c0 0000021a`de3a66c0 : igc64!OpenCompiler12+0x2c8df
0f 00007ffc`7130b6cd : 00000000`00000000 0000021a`de3a4408 0000003c`a07ee510 00007ffc`837dbabb : igc64!OpenCompiler12+0x4bea
10 00007ffc`7130cbf3 : 0000021a`de3a43d8 00007ffc`75013537 0000021a`de3a4490 00000000`00000000 : igc64!OpenCompiler12+0x3f3d
11 00007ffc`748f7946 : 0000021a`de3a42f0 00000000`00000000 0000021a`de415e70 00000000`00000001 : igc64!OpenCompiler12+0x5463
12 00007ffc`750bb966 : 0000021a`de4213d0 0000021a`de3a3d90 0000021a`de3a5a10 0000003c`a07ee070 : igd10iumd64!OpenAdapter10_2+0x30326
13 00007ffc`7cc28edc : 00000000`00000000 0000021a`de3a3d78 0000021a`de40bf50 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x7f4346
14 00007ffc`7cc3295f : 0000003c`00000001 0000021a`de415e68 0000021a`de3a3d78 0000021a`de40bf50 : d3d11!CPixelShader::CLS::FinalConstruct+0x23c
15 00007ffc`7cc3289a : 0000003c`a07eece0 00007ffc`7cde2388 0000021a`de3a3c10 00000000`0000121c : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
16 00007ffc`7cc1ee58 : 0000021a`de3a3c68 0000003c`a07eece0 0000003c`a07eed10 00007ffc`7cde2388 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x152
17 00007ffc`7cc2b17d : 00000000`00000000 0000021a`de3a3c10 00000000`00000000 00000000`00000000 : d3d11!CDevice::CreateLayeredChild+0xc88
18 00007ffc`7cc2b950 : 0000021a`de3a3c10 00000000`00000009 00000000`00000950 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
19 00007ffc`7cc114f4 : 0000021a`de4050f0 00000000`00000009 0000021a`de3a34b0 0000021a`de405928 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
1a 00007ffc`7cc11463 : 0000021a`de3a34b0 00000000`0000c100 0000003c`a07ef140 00000000`00000000 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x64
1b 00007ffc`7cc111e8 : 0000021a`de405928 0000021a`de3a34b0 00000000`00000378 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x203
1c 00007ff6`9e502593 : 00007ff6`9e575120 00000000`00000000 0000003c`a07ee658 0000003c`a07ef260 : d3d11!CDevice::CreatePixelShader+0x28
1d 00007ff6`9e5042a7 : 00007ff6`9e575258 00000000`00000378 0000021a`de405938 00000000`00000000 : POC_EXEC11+0x2593
1e 00007ff6`9e50c880 : 00000000`00000000 0000021a`dc4a9b54 0000021a`dc481d00 0000021a`00000378 : POC_EXEC11+0x42a7
1f 00007ff6`9e50a8cc : 00000000`00000000 00000000`00000000 00000000`00000001 00007ffc`00000000 : POC_EXEC11+0xc880
20 00007ff6`9e50a26c : 00000000`00000000 004f0050`005c0063 00000000`00000000 00310031`00430045 : POC_EXEC11+0xa8cc
21 00007ff6`9e50324a : 0000021a`dc481d00 00000000`00000000 0000021a`dc481d00 0000021a`dc4591b0 : POC_EXEC11+0xa26c
22 00007ff6`9e52f5aa : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0x324a
23 00007ffc`82497bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0x2f5aa
24 00007ffc`8380ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
25 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

Crash Information

Critical error detected c0000374
(3ea0.37e8): Break instruction exception - code 80000003 (first chance)
ntdll!RtlReportCriticalFailure+0x56:
00007ffc`838991f2 cc              int     3
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

	Key  : Analysis.CPU.Sec
	Value: 1

	Key  : Analysis.Elapsed.Sec
	Value: 113

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 71

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 193794

	Key  : Timeline.Process.Start.DeltaSec
	Value: 110


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

Timeline: !analyze.Start
	Name: <blank>
	Time: 2020-01-13T09:20:01.470Z
	Diff: 470 mSec

Timeline: Dump.Current
	Name: <blank>
	Time: 2020-01-13T09:20:01.0Z
	Diff: 0 mSec

Timeline: Process.Start
	Name: <blank>
	Time: 2020-01-13T09:18:11.0Z
	Diff: 110000 mSec

Timeline: OS.Boot
	Name: <blank>
	Time: 2020-01-11T03:30:07.0Z
	Diff: 193794000 mSec


DUMP_CLASS: 2

DUMP_QUALIFIER: 0

MODLIST_WITH_TSCHKSUM_HASH:  55cdb3bc7aae3aedb1ba047e3d2dba6243aad2f9

MODLIST_SHA1_HASH:  6ce0e83b6da7c6a553d1e322f42f958f3d7a27e9

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_TYPE:  fe

FAULTING_IP: 
ntdll!RtlReportCriticalFailure+56
00007ffc`838991f2 cc              int     3

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffc838991f2 (ntdll!RtlReportCriticalFailure+0x0000000000000056)
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 1
   Parameter[0]: 0000000000000000

FAULTING_THREAD:  000037e8

PROCESS_NAME:  POC_EXEC11.exe

ERROR_CODE: (NTSTATUS) 0x80000003 - {WYJ TEK}  Punkt przerwania  Osi gni to punkt przerwania.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - Co najmniej jeden z argument w jest nieprawid owy.

EXCEPTION_CODE_STR:  80000003

EXCEPTION_PARAMETER1:  0000000000000000

WATSON_BKT_PROCSTAMP:  5e1b04b9

WATSON_BKT_MODULE:  ntdll.dll

WATSON_BKT_MODSTAMP:  99ca0526

WATSON_BKT_MODOFFSET:  f91f2

WATSON_BKT_MODVER:  10.0.18362.418

MODULE_VER_PRODUCT:  Microsoft Windows Operating System

BUILD_VERSION_STRING:  18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_HOST:  IAMLEGION

ANALYSIS_SESSION_TIME:  01-13-2020 10:20:01.0470

ANALYSIS_VERSION: 10.0.18914.1001 amd64fre

THREAD_ATTRIBUTES: 
ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 00007ffc838a1622 to 00007ffc838991f2

THREAD_SHA1_HASH_MOD_FUNC:  a348013f73e28faeecd5caf67b12edc8d29b3900

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  3b90219497e4238a73ec7153d08fbe56e59e8a48

OS_LOCALE:  PLK

BUGCHECK_STR:  BREAKPOINT_ACTIONABLE_InvalidArgument

DEFAULT_BUCKET_ID:  BREAKPOINT_ACTIONABLE_InvalidArgument

PRIMARY_PROBLEM_CLASS:  BREAKPOINT

PROBLEM_CLASSES: 

	ID:     [0n321]
	Type:   [@APPLICATION_FAULT_STRING]
	Class:  Primary
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Omit
	Data:   Add
			String: [BREAKPOINT]
	PID:    [Unspecified]
	TID:    [Unspecified]
	Frame:  [0]

	ID:     [0n261]
	Type:   [ACTIONABLE]
	Class:  Addendum
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Add
	Data:   Add
			String: [InvalidArgument]
	PID:    [Unspecified]
	TID:    [Unspecified]
	Frame:  [0]

STACK_TEXT:  
00000000`00000000 00000000`00000000 heap_corruption!POC_EXEC11.exe+0x0


THREAD_SHA1_HASH_MOD:  ca4e26064d24ef7512d2e94de5a93c38dbe82fe9

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  heap_corruption!POC_EXEC11.exe

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: heap_corruption

IMAGE_NAME:  heap_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

STACK_COMMAND:  !heap ; ** Pseudo Context ** ManagedPseudo ** Value: 200581fbb50 ** ; kb

BUCKET_ID:  BREAKPOINT_ACTIONABLE_InvalidArgument_heap_corruption!POC_EXEC11.exe

FAILURE_EXCEPTION_CODE:  80000003

FAILURE_IMAGE_NAME:  heap_corruption

BUCKET_ID_IMAGE_STR:  heap_corruption

FAILURE_MODULE_NAME:  heap_corruption

BUCKET_ID_MODULE_STR:  heap_corruption

FAILURE_FUNCTION_NAME:  POC_EXEC11.exe

BUCKET_ID_FUNCTION_STR:  POC_EXEC11.exe

BUCKET_ID_OFFSET:  0

BUCKET_ID_MODTIMEDATESTAMP:  0

BUCKET_ID_MODCHECKSUM:  0

BUCKET_ID_MODVER_STR:  0.0.0.0

BUCKET_ID_PREFIX_STR:  BREAKPOINT_ACTIONABLE_InvalidArgument_

FAILURE_PROBLEM_CLASS:  BREAKPOINT

FAILURE_SYMBOL_NAME:  heap_corruption!POC_EXEC11.exe

FAILURE_BUCKET_ID:  BREAKPOINT_ACTIONABLE_InvalidArgument_80000003_heap_corruption!POC_EXEC11.exe

TARGET_TIME:  2020-01-13T09:21:55.000Z

OSBUILD:  18362

OSSERVICEPACK:  329

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  190318-1202

BUILDLAB_STR:  19h1_release

BUILDOSVER_STR:  10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME:  1bc28

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:breakpoint_actionable_invalidargument_80000003_heap_corruption!poc_exec11.exe

FAILURE_ID_HASH:  {a2b58f14-d43c-21d5-b07d-770a03a2bc68}

Followup:     MachineOwner
---------

Timeline

2020-01-27 - Vendor Disclosure
2020-04-01 - Disclosure deadline extended
2020-07-14 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.