CVE-2022-34671
A memory corruption vulnerability exists in the Shader functionality of NVIDIA D3D10 Driver NVIDIA D3D10 Driver, Version 528.24, 31.0.15.2824. A specially crafted executable/shader file referencing an undeclared dcl_output can lead to memory corruption. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape, as previously demonstrated (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could also be triggered from a web browser (using webGL and webassembly). We were able to trigger this vulnerability from HYPER-V guest using the RemoteFX feature, leading to execution of vulnerable code on the HYPER-V host (inside the rdvgm.exe process). While the RemoteFX was recently deprecated by Microsoft, some older machines may still use this software.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
NVIDIA D3D10 Driver NVIDIA D3D10 Driver, Version 528.24, 31.0.15.2824
D3D10 Driver - https://nvidia.com
8.5 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-787 - Out-of-bounds Write
NVIDIA Graphics drivers is software for NVIDIA Graphics GPU installed on the PC. It is used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.
This vulnerability can be triggered by supplying a malformed shader. This leads to a memory corruption problem in NVIDIA driver.
Example of shader triggering the bug:
gs_4_0
dcl_constant_buffer cb0[6].xyzw, immediateIndexed
...
dcl_output o0.xy
dcl_output o1.xyzw
...
mov o79.xyzw, v0[1].xyzw
...
As you can see, the MOV instruction is accessing the target register that was not previously declared as dcl_output (index out of bounds).
This leads to a memory corruption bug, where the destination address is computed based on the value provided in the shader data (directly from the provided shader binary file).
00007FF9C1486AFF | 8D048D 00000000 | lea eax,qword ptr ds:[rcx*4] | ; EAX value taken directly from the shader bytecode
00007FF9C1486B06 | C64424 21 01 | mov byte ptr ss:[rsp+21],1 |
00007FF9C1486B0B | C1F8 08 | sar eax,8 |
00007FF9C1486B0E | 48:8DBD B0260000 | lea rdi,qword ptr ss:[rbp+26B0] |
00007FF9C1486B15 | 0F57C0 | xorps xmm0,xmm0 |
00007FF9C1486B18 | 8D0485 00000000 | lea eax,qword ptr ds:[rax*4] |
00007FF9C1486B1F | 41:03C5 | add eax,r13d |
00007FF9C1486B22 | 48:63C8 | movsxd rcx,eax |
00007FF9C1486B25 | 48:8D0449 | lea rax,qword ptr ds:[rcx+rcx*2] |
00007FF9C1486B29 | 48:C1E0 04 | shl rax,4 |
00007FF9C1486B2D | 48:03F8 | add rdi,rax |
00007FF9C1486B30 | 0F1107 | movups xmmword ptr ds:[rdi],xmm0 | * write1 *
00007FF9C1486B33 | 0F1147 10 | movups xmmword ptr ds:[rdi+10],xmm0 |
00007FF9C1486B37 | 0F1147 20 | movups xmmword ptr ds:[rdi+20],xmm0 |
nvwgf2umx!NVAPI_Thunk+0x1051b80:
00007ff9`c1486b30 0f1107 movups xmmword ptr [rdi],xmm0 ds:000000cf`12480410=????????????????????????????????
0:039> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for POC_EXEC11.exe
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Write
Key : Analysis.CPU.mSec
Value: 2139
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 17936
Key : Analysis.Init.CPU.mSec
Value: 3468
Key : Analysis.Init.Elapsed.mSec
Value: 226852
Key : Analysis.Memory.CommitPeak.Mb
Value: 91
Key : Timeline.OS.Boot.DeltaSec
Value: 93944
Key : Timeline.Process.Start.DeltaSec
Value: 107
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
NTGLOBALFLAG: 70
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ff9c1486b30 (nvwgf2umx!NVAPI_Thunk+0x0000000001051b80)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 000000cf12480410
Attempt to write to address 000000cf12480410
FAULTING_THREAD: 00003144
PROCESS_NAME: POC_EXEC11.exe
WRITE_ADDRESS: 000000cf12480410
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 000000cf12480410
STACK_TEXT:
000000cf`1247a120 00007ff9`c02af594 : 000001f1`08c32f10 000001f1`08c32eb0 000001f1`08c1e440 000001f1`08c1e440 : nvwgf2umx!NVAPI_Thunk+0x1051b80
000000cf`1247f010 00007ff9`c01f1a38 : 000001f1`08c1e440 000000cf`1247f1b0 00000000`00000036 00007ff9`c03d7f7e : nvwgf2umx!NVENCODEAPI_Thunk+0x30cf4
000000cf`1247f110 00007ff9`c01f28f2 : 000001f1`08c1e440 000000cf`1247f281 00000000`00000000 000000cf`1247f5a0 : nvwgf2umx+0xe1a38
000000cf`1247f1e0 00007ff9`c01f3c6d : 000001f1`08c2e508 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx+0xe28f2
000000cf`1247f2e0 00007ff9`c042dce6 : 000001f1`08baee00 000001f1`08c32e20 000001f1`08c2e508 000001f1`08c32c60 : nvwgf2umx+0xe3c6d
000000cf`1247f570 00007ff9`c042d9f8 : 00000000`00000000 000001f1`06b64c00 00000000`00000000 000001f1`06bd4968 : nvwgf2umx!NVDEV_Thunk+0xb68f6
000000cf`1247f680 00007ff9`c0676644 : 00000000`00000000 00007ff9`d5500800 000001f1`08c336b0 000001f1`06bd4160 : nvwgf2umx!NVDEV_Thunk+0xb6608
000000cf`1247f730 00007ff9`c067658f : 00000000`00000000 000001f1`0000000f 000001f1`08ce4b20 00000000`00000000 : nvwgf2umx!NVAPI_Thunk+0x241694
000000cf`1247f790 00007ff9`c1c37472 : 000001f1`08ce4b20 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_Thunk+0x2415df
000000cf`1247f7c0 00007ff9`d5387614 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x619382
000000cf`1247f7f0 00007ff9`d55026a1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000cf`1247f820 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
SYMBOL_NAME: nvwgf2umx!NVAPI_Thunk+1051b80
MODULE_NAME: nvwgf2umx
IMAGE_NAME: nvwgf2umx.dll
STACK_COMMAND: ~39s ; .cxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_nvwgf2umx.dll!NVAPI_Thunk
BUCKET_ID_MODPRIVATE: 1
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
IMAGE_VERSION: 31.0.15.2824
FAILURE_ID_HASH: {394d2a7d-b34b-6afc-ef2e-834df1b40588}
Followup: MachineOwner
---------
NVidia released a bulletin for the issues here: https://nvidia.custhelp.com/app/answers/detail/a_id/5468
2023-02-16 - Vendor Disclosure
2023-06-27 - Vendor Patch Release
2023-08-10 - Public Release
Discovered by Piotr Bania of Cisco Talos.