Microsoft Hyper-V/RemoteFX: CVE-2020-1042
An exploitable double free vulnerability exists in Intel’s IGC64.DLL graphics driver, version 26.20.100.7584. A specially crafted geometry shader can cause a double free vulnerability, leading to arbitrary code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments (e.g. VMware, QEMU, VirtualBox etc.) in order to perform guest-to-host escape - as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. Theoretically, this vulnerability could be also triggered from a web browser (using WebGL and WebAssembly) but Talos has not been able to confirm this.
Intel IGC64.DLL (Intel Graphics Shader Compiler for Intel(R) Graphics Accelerator), version 26.20.100.7584
Microsoft Hyper-V with RemoteFX enabled (CVE-2020-1042)
8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-416: Use After Free
This vulnerability can be triggered by supplying a malformed geometry shader, leading to a double free in the Intel IGC64 driver (this driver is mapped by the affected component, e.g. VMware’s vmware-vmx.exe).
In a specially crafted geometry shader, the operands for the mov bytecode (a shader model instruction), were malformed. Such malformed geometry shader can cause a double free in the Intel’s IGC64 driver.
Already freed heap memory is passed to the HeapReAlloc function, leading to the following exception:
**************************************************************
* *
* HEAP ERROR DETECTED *
* *
**************************************************************
Details:
Heap address: 0000021f26910000
Error address: 0000021f28806ef0
Error type: HEAP_FAILURE_BLOCK_NOT_BUSY
Details: The caller performed an operation (such as a free
or a size check) that is illegal on a free block.
Follow-up: Check the error's stack trace to find the culprit.
0:005> !heap -x 0000021f28806ef0
Failed to read heap keySEGMENT HEAP ERROR: failed to initialize the extention
List corrupted: (Blink->Flink = 0000021f26910150) != (Block = 0000021f28824ed0)
HEAP 0000021f26910000 (Seg 0000021f28760000) At 0000021f28824ec0 Error: block list entry corrupted
Where memory at 0000021f28824ec0:
0:005> db 0000021f28824ec0
0000021f`28824ec0 ee fe ee fe ee fe ee fe-10 3a 04 2e cf 92 0d 00 .........:......
0000021f`28824ed0 50 01 91 26 1f 02 00 00-e0 be 81 28 1f 02 00 00 P..&.......(....
0000021f`28824ee0 ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0000021f`28824ef0 ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0000021f`28824f00 ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0000021f`28824f10 ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0000021f`28824f20 ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0000021f`28824f30 ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
Magic value 0xFEEEFEEE is used by Microsoft’s HeapFree() to mark freed heap memory, therefore this area was already freed.
This is a Use After Free vulnerability.
Stack trace:
0:005> kb
# RetAddr : Args to Child : Call Site
00 00007ffc`838a1622 : 00000000`00000098 00007ffc`839027f0 00000000`00000008 00000279`ec550000 : ntdll!RtlReportCriticalFailure+0x56
01 00007ffc`838a192a : 00000000`00000008 00000279`edfd5800 00000279`ec550000 00000279`ec550000 : ntdll!RtlpHeapHandleError+0x12
02 00007ffc`838aa8e9 : 00000279`ec550000 00000000`00000000 00000000`00000001 00000279`edff1f10 : ntdll!RtlpHpHeapHandleError+0x7a
03 00007ffc`837e2e1c : 00000279`ec550000 00000000`40000062 00000000`00000098 00000279`edff1f10 : ntdll!RtlpLogHeapFailure+0x45
04 00007ffc`837e2d0a : 00000279`edff1df0 00007ffc`7135f8bb 00000000`00000000 00000000`40000060 : ntdll!RtlpReAllocateHeapInternal+0xdc
05 00007ffc`712fc94f : 00000000`00002798 00000000`00000008 00000000`00000000 00000279`40000062 : ntdll!RtlReAllocateHeap+0x5a
06 00007ffc`7125f821 : 00000081`e79ff838 00000000`00000000 00000081`e79f9c19 00007ffc`7136f19b : igc64!getJITVersion+0x60fc0f
07 00007ffc`7133d387 : 00000081`e79fb368 00000081`e79f9ca0 00000000`00000000 00000000`00000050 : igc64!getJITVersion+0x572ae1
08 00007ffc`7133437d : 00000081`e79fb368 00000000`00000000 00000000`00000009 00000279`edff00d0 : igc64!OpenCompiler12+0x35bf7
09 00007ffc`71338844 : 00000000`00000000 00000081`e79fb330 00000000`00000001 00000081`00000000 : igc64!OpenCompiler12+0x2cbed
0a 00007ffc`713344e3 : 00000279`edfd39a0 00000000`00000000 00000279`edfd3dd4 00000279`edfd3a30 : igc64!OpenCompiler12+0x310b4
0b 00007ffc`713341a3 : 00000000`00000000 00000279`edfde710 00000279`edfd39a0 00000000`00000004 : igc64!OpenCompiler12+0x2cd53
0c 00007ffc`7133406f : 00000279`edfd39a0 00000279`edfd39a0 00000279`edfd39a0 00000279`edfdc850 : igc64!OpenCompiler12+0x2ca13
0d 00007ffc`7130e2ab : 00000279`edfdc850 00000279`edfd5890 00000279`edfd2320 00000279`edfd2320 : igc64!OpenCompiler12+0x2c8df
0e 00007ffc`7130af91 : 00000279`edfd2320 00000279`edf81ef0 00000279`edfd2358 00000000`00000010 : igc64!OpenCompiler12+0x6b1b
0f 00007ffc`7130cb63 : 00000000`00000000 00007ffc`75035782 00000000`00000801 00000000`00000000 : igc64!OpenCompiler12+0x3801
10 00007ffc`749b2f63 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000800 : igc64!OpenCompiler12+0x53d3
11 00007ffc`749b0f3d : 00000000`00000000 00007ffc`80ad5d9f 00000279`edfbb5a0 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0xeb943
12 00007ffc`748f5187 : 00000279`edfd4068 00000000`00000000 00000279`edf83300 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0xe991d
13 00007ffc`75028d50 : 00000000`00000000 00000000`00000000 00000279`edfd40a0 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x2db67
14 00007ffc`82497bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x761730
15 00007ffc`8380ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
16 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:005> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for POC_EXEC11.exe
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 1
Key : Analysis.Elapsed.Sec
Value: 74
Key : Analysis.Memory.CommitPeak.Mb
Value: 72
Key : Timeline.OS.Boot.DeltaSec
Value: 202245
Key : Timeline.Process.Start.DeltaSec
Value: 3740
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
Timeline: !analyze.Start
Name: <blank>
Time: 2020-01-13T11:40:52.32Z
Diff: 32 mSec
Timeline: Dump.Current
Name: <blank>
Time: 2020-01-13T11:40:52.0Z
Diff: 0 mSec
Timeline: Process.Start
Name: <blank>
Time: 2020-01-13T10:38:32.0Z
Diff: 3740000 mSec
Timeline: OS.Boot
Name: <blank>
Time: 2020-01-11T03:30:07.0Z
Diff: 202245000 mSec
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
MODLIST_WITH_TSCHKSUM_HASH: 72b14d4437af6d09da2d9fe2a592f06ddf20b1ca
MODLIST_SHA1_HASH: 6ce0e83b6da7c6a553d1e322f42f958f3d7a27e9
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
FAULTING_IP:
ntdll!RtlReportCriticalFailure+56
00007ffc`838991f2 cc int 3
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffc838991f2 (ntdll!RtlReportCriticalFailure+0x0000000000000056)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 1
Parameter[0]: 0000000000000000
FAULTING_THREAD: 00003184
PROCESS_NAME: POC_EXEC11.exe
ERROR_CODE: (NTSTATUS) 0x80000003 - {WYJ TEK} Punkt przerwania Osi gni to punkt przerwania.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - Co najmniej jeden z argument w jest nieprawid owy.
EXCEPTION_CODE_STR: 80000003
EXCEPTION_PARAMETER1: 0000000000000000
WATSON_BKT_PROCSTAMP: 5e1b04b9
WATSON_BKT_MODULE: ntdll.dll
WATSON_BKT_MODSTAMP: 99ca0526
WATSON_BKT_MODOFFSET: f91f2
WATSON_BKT_MODVER: 10.0.18362.418
MODULE_VER_PRODUCT: Microsoft Windows Operating System
BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_HOST: IAMLEGION
ANALYSIS_SESSION_TIME: 01-13-2020 12:40:52.0032
ANALYSIS_VERSION: 10.0.18914.1001 amd64fre
THREAD_ATTRIBUTES:
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Heap_Error_Type] from Frame:[0] on thread:[PSEUDO_THREAD] ; Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
LAST_CONTROL_TRANSFER: from 00007ffc838a1622 to 00007ffc838991f2
THREAD_SHA1_HASH_MOD_FUNC: 7f15800cda6f8d6507ab572a70f10ce85127d952
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 32d1b00defaa02b465d15475e9e33a9a77bcd3fa
OS_LOCALE: PLK
BUGCHECK_STR: HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE
DEFAULT_BUCKET_ID: HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE
PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION
PROBLEM_CLASSES:
ID: [0n261]
Type: [ACTIONABLE]
Class: Addendum
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Add
String: [BlockNotBusy]
PID: [0x2cb4]
TID: [0x3184]
Frame: [3] : ntdll!RtlpLogHeapFailure
ID: [0n262]
Type: [HEAP_CORRUPTION]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0x2cb4]
TID: [0x3184]
Frame: [3] : ntdll!RtlpLogHeapFailure
ID: [0n260]
Type: [DOUBLE_FREE]
Class: Addendum
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0x2cb4]
TID: [0x3184]
Frame: [3] : ntdll!RtlpLogHeapFailure
STACK_TEXT:
00000000`00000000 00000000`00000000 igc64!getJITVersion+0x0
THREAD_SHA1_HASH_MOD: 21353c7cdde59d4a15ad29c23f4db57c58172e87
FOLLOWUP_IP:
igc64!getJITVersion+0
00007ffc`70cecd40 c70103000000 mov dword ptr [rcx],3
FAULT_INSTR_CODE: 301c7
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: igc64!getJITVersion+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: igc64
IMAGE_NAME: igc64.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5ddcfccd
STACK_COMMAND: !heap ; ** Pseudo Context ** ManagedPseudo ** Value: 23be4afef80 ** ; kb
BUCKET_ID: HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE_igc64!getJITVersion+0
FAILURE_EXCEPTION_CODE: 80000003
FAILURE_IMAGE_NAME: igc64.dll
BUCKET_ID_IMAGE_STR: igc64.dll
FAILURE_MODULE_NAME: igc64
BUCKET_ID_MODULE_STR: igc64
FAILURE_FUNCTION_NAME: getJITVersion
BUCKET_ID_FUNCTION_STR: getJITVersion
BUCKET_ID_OFFSET: 0
BUCKET_ID_MODTIMEDATESTAMP: 5ddcfccd
BUCKET_ID_MODCHECKSUM: 2450ddb
BUCKET_ID_MODVER_STR: 0.0.0.0
BUCKET_ID_PREFIX_STR: HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE_
FAILURE_PROBLEM_CLASS: HEAP_CORRUPTION
FAILURE_SYMBOL_NAME: igc64.dll!getJITVersion
FAILURE_BUCKET_ID: HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE_80000003_igc64.dll!getJITVersion
TARGET_TIME: 2020-01-13T11:42:06.000Z
OSBUILD: 18362
OSSERVICEPACK: 329
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 190318-1202
BUILDLAB_STR: 19h1_release
BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_ELAPSED_TIME: 1216f
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:heap_corruption_actionable_blocknotbusy_double_free_80000003_igc64.dll!getjitversion
FAILURE_ID_HASH: {472f4ddc-a1d3-ba89-93bd-3638df38933a}
Followup: MachineOwner
---------
2020-01-27 - Vendor Disclosure
2020-04-01 - Disclosure deadline extended
2020-07-14 - Public Release
Discovered by Piotr Bania of Cisco Talos.