Talos Vulnerability Report

TALOS-2023-1720

NVIDIA D3D10 Driver Shader Functionality dcl_input index memory corruption vulnerability

August 10, 2023

CVE Number

CVE-2022-34671

SUMMARY

A memory corruption vulnerability exists in the Shader Functionality of NVIDIA D3D10 Driver NVIDIA D3D10 Driver, Version 528.24, 31.0.15.2824. A specially crafted executable/shader file containing a dcl_input declaration with an out-of-bounds index can lead to memory corruption. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape, as previously demonstrated (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could also be triggered from web browser (using webGL and webassembly). We were able to trigger this vulnerability from HYPER-V guest using the RemoteFX feature, leading to execution of vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently deprecated by Microsoft, some older machines may still use this software.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

NVIDIA D3D10 Driver NVIDIA D3D10 Driver, Version 528.24, 31.0.15.2824

PRODUCT URLS

D3D10 Driver - https://nvidia.com

CVSSv3 SCORE

8.5 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

DETAILS

NVIDIA Graphics drivers is software for NVIDIA Graphics GPU installed on the PC. It is used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

This vulnerability can be triggered by supplying a malformed shader. This leads to a memory corruption problem in NVIDIA driver.

Example of shader triggering the bug:

gs_4_0
dcl_constant_buffer cb0[6].xyzw, immediateIndexed
dcl_input v1[0].xyz
dcl_input v1[-1090519039].xyzw
...

dcl_input command declares a shader-input register. When declaring the shader-input register with large index value, it is possible to cause memory corruption.

00007FF9C01A45A5 | 42:8D0CB0                | lea ecx,qword ptr ds:[rax+r14*4]            |
00007FF9C01A45A9 | 45:0FB6F8                | movzx r15d,r8b                              |
00007FF9C01A45AD | 48:03CB                  | add rcx,rbx                                 |
00007FF9C01A45B0 | 80BC11 1C110000 D0       | cmp byte ptr ds:[rcx+rdx+111C],D0           | *
00007FF9C01A45B8 | 75 11                    | jne nvwgf2umx.7FF9C01A45CB                  |
00007FF9C01A45BA | 41:0FB6C3                | movzx eax,r11b                              |
00007FF9C01A45BE | C0E0 02                  | shl al,2                                    |
00007FF9C01A45C1 | 41:02C0                  | add al,r8b                                  |
00007FF9C01A45C4 | 888411 1C110000          | mov byte ptr ds:[rcx+rdx+111C],al           | *

The read/write destination address is calculated with help of r14 register (00007FF9C01A45A5). r14 register value is taken directly from the shader bytecode. Therefore, an attacker can control the rcx register and the memory address itself.

Crash Information

*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for POC_EXEC11.exe
*** WARNING: Unable to verify checksum for POC_EXEC11.exe

KEY_VALUES_STRING: 
KEY_VALUES_STRING: 1

	Key  : AV.Fault
	Value: Read

	Key  : Analysis.CPU.mSec
	Value: 2156

	Key  : Analysis.DebugAnalysisManager
	Value: Create

	Key  : Analysis.Elapsed.mSec
	Value: 6284

	Key  : Analysis.Init.CPU.mSec
	Value: 8343

	Key  : Analysis.Init.Elapsed.mSec
	Value: 2770898

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 98

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 96488

	Key  : Timeline.Process.Start.DeltaSec
	Value: 10

	Key  : WER.OS.Branch
	Value: vb_release

	Key  : WER.OS.Timestamp
	Value: 2019-12-06T14:06:00Z

	Key  : WER.OS.Version
	Value: 10.0.19041.1


NTGLOBALFLAG:  70
1

	Key  : AV.Fault
	Value: Read

	Key  : Analysis.CPU.mSec
	Value: 2156

	Key  : Analysis.DebugAnalysisManager
	Value: Create

	Key  : Analysis.Elapsed.mSec
	Value: 6284

	Key  : Analysis.Init.CPU.mSec
	Value: 8343

	Key  : Analysis.Init.Elapsed.mSec
	Value: 2770898

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 98

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 96488

	Key  : Timeline.Process.Start.DeltaSec
	Value: 10

	Key  : WER.OS.Branch
	Value: vb_release

	Key  : WER.OS.Timestamp
	Value: 2019-12-06T14:06:00Z

	Key  : WER.OS.Version
	Value: 10.0.19041.1


NTGLOBALFLAG:  70

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

EXCEPTION_RECORD: 
PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

EXCEPTION_RECORD:  (.exr -1)
 (.exr -1)
ExceptionAddress: 00007ff9c01a45b0 (nvwgf2umx+0x00000000000945b0)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 000002b1b5e64e50
Attempt to read from address 000002b1b5e64e50
ExceptionAddress: 00007ff9c01a45b0 (nvwgf2umx+0x00000000000945b0)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 000002b1b5e64e50
Attempt to read from address 000002b1b5e64e50

FAULTING_THREAD:  000096a4

PROCESS_NAME:  POC_EXEC11.exe

FAULTING_THREAD:  000096a4

PROCESS_NAME:  POC_EXEC11.exe

READ_ADDRESS:  000002b1b5e64e50 

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  000002b1b5e64e50

STACK_TEXT:  
READ_ADDRESS:  000002b1b5e64e50 

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  000002b1b5e64e50

STACK_TEXT:  
000000b5`83e0ee08 00007ff9`c040858b     : 000002b0`b9e61a20 00000000`0000000f 00000000`00000000 00000000`bf000001 : nvwgf2umx+0x945b0
000000b5`83e0ee30 00007ff9`c03dc557     : 00000000`00000000 000000b5`83e0ef20 000002b0`bf000009 00000000`50000163 : nvwgf2umx!NVDEV_Thunk+0x9119b
000000b5`83e0eea0 00007ff9`c03d902d     : 00007ff9`c041cc98 000000b5`83e0f430 000002b0`b9e61a20 000002b0`b7d902c0 : nvwgf2umx!NVDEV_Thunk+0x65167
000000b5`83e0ef00 00007ff9`c03d7d36     : 00000000`0000005f 000000b5`83e0f430 00000000`0000005f 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x61c3d
000000b5`83e0f3b0 00007ff9`c01f26c3     : 000002b0`be032048 00000000`00000000 000002b0`b9e65ea0 000000b5`83e0f820 : nvwgf2umx!NVDEV_Thunk+0x60946
000000b5`83e0f460 00007ff9`c01f3c6d     : 000002b0`be032048 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx+0xe26c3
000000b5`83e0f560 00007ff9`c042dce6     : 000002b0`b9deee00 000002b0`b9e5eb40 000002b0`be032048 000002b0`b9e5e980 : nvwgf2umx+0xe3c6d
000000b5`83e0f7f0 00007ff9`c042d9f8     : 00000000`00000000 000002b0`b7e04c00 00000000`00000000 000002b0`b7e6a608 : nvwgf2umx!NVDEV_Thunk+0xb68f6
000000b5`83e0f900 00007ff9`c0676644     : 00000000`00000000 00007ff9`d5500800 000002b0`b9e619a0 000002b0`b7e69e00 : nvwgf2umx!NVDEV_Thunk+0xb6608
000000b5`83e0f9b0 00007ff9`c067658f     : 00000000`00000000 000002b0`0000000f 000002b0`b9f1e8e0 00000000`00000000 : nvwgf2umx!NVAPI_Thunk+0x241694
000000b5`83e0fa10 00007ff9`c1c37472     : 000002b0`b9f1e8e0 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_Thunk+0x2415df
000000b5`83e0fa40 00007ff9`d5387614     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x619382
000000b5`83e0fa70 00007ff9`d55026a1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000b5`83e0faa0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

000000b5`83e0ee08 00007ff9`c040858b     : 000002b0`b9e61a20 00000000`0000000f 00000000`00000000 00000000`bf000001 : nvwgf2umx+0x945b0
000000b5`83e0ee30 00007ff9`c03dc557     : 00000000`00000000 000000b5`83e0ef20 000002b0`bf000009 00000000`50000163 : nvwgf2umx!NVDEV_Thunk+0x9119b
000000b5`83e0eea0 00007ff9`c03d902d     : 00007ff9`c041cc98 000000b5`83e0f430 000002b0`b9e61a20 000002b0`b7d902c0 : nvwgf2umx!NVDEV_Thunk+0x65167
000000b5`83e0ef00 00007ff9`c03d7d36     : 00000000`0000005f 000000b5`83e0f430 00000000`0000005f 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x61c3d
000000b5`83e0f3b0 00007ff9`c01f26c3     : 000002b0`be032048 00000000`00000000 000002b0`b9e65ea0 000000b5`83e0f820 : nvwgf2umx!NVDEV_Thunk+0x60946
000000b5`83e0f460 00007ff9`c01f3c6d     : 000002b0`be032048 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx+0xe26c3
000000b5`83e0f560 00007ff9`c042dce6     : 000002b0`b9deee00 000002b0`b9e5eb40 000002b0`be032048 000002b0`b9e5e980 : nvwgf2umx+0xe3c6d
000000b5`83e0f7f0 00007ff9`c042d9f8     : 00000000`00000000 000002b0`b7e04c00 00000000`00000000 000002b0`b7e6a608 : nvwgf2umx!NVDEV_Thunk+0xb68f6
000000b5`83e0f900 00007ff9`c0676644     : 00000000`00000000 00007ff9`d5500800 000002b0`b9e619a0 000002b0`b7e69e00 : nvwgf2umx!NVDEV_Thunk+0xb6608
000000b5`83e0f9b0 00007ff9`c067658f     : 00000000`00000000 000002b0`0000000f 000002b0`b9f1e8e0 00000000`00000000 : nvwgf2umx!NVAPI_Thunk+0x241694
000000b5`83e0fa10 00007ff9`c1c37472     : 000002b0`b9f1e8e0 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_Thunk+0x2415df
000000b5`83e0fa40 00007ff9`d5387614     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x619382
000000b5`83e0fa70 00007ff9`d55026a1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000b5`83e0faa0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


SYMBOL_NAME:  nvwgf2umx+945b0

MODULE_NAME: 

SYMBOL_NAME:  nvwgf2umx+945b0

MODULE_NAME: nvwgf2umx
nvwgf2umx

IMAGE_NAME:  nvwgf2umx.dll

STACK_COMMAND:  ~39s ; .cxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown

IMAGE_NAME:  nvwgf2umx.dll

STACK_COMMAND:  ~39s ; .cxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!Unknown

BUCKET_ID_MODPRIVATE: 1

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

BUCKET_ID_MODPRIVATE: 1

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

IMAGE_VERSION:  31.0.15.2824

FAILURE_ID_HASH:  {7b367f86-064a-2e05-5dc0-760739d560ad}

Followup:     MachineOwner
---------


IMAGE_VERSION:  31.0.15.2824

FAILURE_ID_HASH:  {7b367f86-064a-2e05-5dc0-760739d560ad}

Followup:     MachineOwner
---------

VENDOR RESPONSE

NVidia released a bulletin for the issues here: https://nvidia.custhelp.com/app/answers/detail/a_id/5468

TIMELINE

2023-02-16 - Vendor Disclosure
2023-06-27 - Vendor Patch Release
2023-08-10 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.

TALOS-2023-1721

TALOS-2023-1719

Intelligence Center

Vulnerability Information

Security Resources

Media

Company