Microsoft Hyper-V/RemoteFX: CVE-2020-1043
An exploitable denial of service vulnerability exists in Intel IGC64.DLL graphics driver. A specially crafted hull shader can cause a NULL pointer dereference. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments (e.g. VMware, QEMU, VirtualBox etc.) as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. Theoretically this vulnerability could be also triggered from a web browser (using WebGL and WebAssembly) but Talos has not been able to confirm this.
Intel IGC64.DLL (Intel Graphics Shader Compiler for Intel(R) Graphics Accelerator), version 26.20.100.7584
Microsoft Hyper-V with RemoteFX enabled (CVE-2020-1043)
6.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
CWE-476: NULL Pointer Dereference
This vulnerability can be triggered by supplying a malformed hull shader, leading to a NULL pointer dereference in the Intel IGC64 driver (this driver is mapped by the affected component, e.g. VMware’s vmware-vmx.exe).
A hull shader transforms a set of input control points (from a vertex shader) into a set of output control points. In order to trigger this vulnerability we have modified the hull shader byte code, specifically the instruction of a function for computing patch constant data.
Typically the most basic one looks like this:
hs_fork_phase
dcl_output o22.z
mov o22.z, l(1.000000)
ret
After mov function modification (modification cannot be disassembled into proper text form) it was possible to trigger a NULL pointer dereference in the IGC64 driver.
Stack trace:
0:000> kb
# RetAddr : Args to Child : Call Site
00 00007ffc`7138c2c3 : 00000000`00000000 00000000`00000002 000001f3`ab741f70 00000000`00000000 : igc64!OpenCompiler12+0x5293b
01 00007ffc`71338e7e : 00000000`00000000 0000005f`679e9dd0 00000000`00000000 0000005f`00000000 : igc64!OpenCompiler12+0x84b33
02 00007ffc`713344e3 : 000001f3`ab74ca84 00000000`00000001 000001f3`ab74fc28 000001f3`ab74fc28 : igc64!OpenCompiler12+0x316ee
03 00007ffc`713341a3 : 00000000`00000000 000001f3`ab740670 000001f3`ab74ca84 000001f3`ab738650 : igc64!OpenCompiler12+0x2cd53
04 00007ffc`7133406f : 000001f3`ab74ca84 000001f3`ab74ca84 000001f3`ab74ca84 000001f3`ab73e570 : igc64!OpenCompiler12+0x2ca13
05 00007ffc`7130c15d : 000001f3`ab738768 000001f3`ab749360 00000000`00000000 000001f3`a7652430 : igc64!OpenCompiler12+0x2c8df
06 00007ffc`7130b40d : 000001f3`ab7387a8 000001f3`ab738768 000001f3`a7652430 00007ffc`837dbabb : igc64!OpenCompiler12+0x49cd
07 00007ffc`7130cbd3 : ffffffff`00000000 00000000`00000000 000001f3`ab72ca60 00007ffc`75011d33 : igc64!OpenCompiler12+0x3c7d
08 00007ffc`749e7a43 : 000001f3`ab738650 00000000`00000001 0000005f`679ee480 00007ffc`7502f3c8 : igc64!OpenCompiler12+0x5443
09 00007ffc`750fa9f0 : 000001f3`ab707ff0 00000000`00000001 000001f3`ab73a6b0 0000005f`679ee480 : igd10iumd64!OpenAdapter10_2+0x120423
0a 00007ffc`7cc06f58 : 00000000`00000000 000001f3`ab738138 000001f3`ab7059a8 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x8333d0
0b 00007ffc`7cc093d7 : 000001f3`ab74ca84 00000000`00000000 000093bc`4192571d 00000000`0000120c : d3d11!CHullShader::CLS::FinalConstruct+0x23c
0c 00007ffc`7cc09311 : 0000005f`679eefa0 00007ffc`7cde2388 000001f3`ab737fd0 00000000`00001292 : d3d11!CLayeredObjectWithCLS<CHullShader>::FinalConstruct+0xa3
0d 00007ffc`7cc1efff : 000001f3`ab738028 0000005f`679eefa0 0000005f`679eefd0 00007ffc`7cde2388 : d3d11!CLayeredObjectWithCLS<CHullShader>::CreateInstance+0x13d
0e 00007ffc`7cc2b17d : 00000000`00000000 000001f3`ab737fd0 00000000`00000000 00000000`00000000 : d3d11!CDevice::CreateLayeredChild+0xe2f
0f 00007ffc`7cc2b950 : 000001f3`ab737fd0 00000000`00000014 00000000`00000830 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
10 00007ffc`7cc09a5a : 000001f3`ab705170 00000000`00000014 00000000`0000000a 00000000`00000000 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
11 00007ff6`cb7027a1 : 00000000`80070057 000001f3`ab74c3b0 00000000`00026778 00000000`00000001 : d3d11!CDevice::CreateHullShader+0x1ba
12 00007ff6`cb7042a7 : 000001f3`a5666420 00000000`00026778 000001f3`ab7059b8 00000000`00000000 : POC_EXEC11+0x27a1
13 00007ff6`cb70c880 : 00000000`00000000 000001f3`a56b6674 000001f3`a5691c80 000001f3`00026778 : POC_EXEC11+0x42a7
14 00007ff6`cb70a8cc : 00000000`00000000 00000000`00000000 00000000`00000001 00007ffc`00000000 : POC_EXEC11+0xc880
15 00007ff6`cb70a26c : 00000000`00000000 0043004f`0050005c 00000000`00000000 005f0031`00310043 : POC_EXEC11+0xa8cc
16 00007ff6`cb70324a : 000001f3`a5691c80 00000000`00000000 000001f3`a5691c80 000001f3`a5668640 : POC_EXEC11+0xa26c
17 00007ff6`cb72f5aa : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0x324a
18 00007ffc`82497bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0x2f5aa
19 00007ffc`8380ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
1a 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Dereference
Value: NullClassPtr
Key : AV.Fault
Value: Write
Key : Analysis.CPU.Sec
Value: 1
Key : Analysis.Elapsed.Sec
Value: 97
Key : Analysis.Memory.CommitPeak.Mb
Value: 71
Key : Timeline.OS.Boot.DeltaSec
Value: 206250
Key : Timeline.Process.Start.DeltaSec
Value: 2126
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
Timeline: !analyze.Start
Name: <blank>
Time: 2020-01-13T12:47:36.878Z
Diff: 878 mSec
Timeline: Dump.Current
Name: <blank>
Time: 2020-01-13T12:47:36.0Z
Diff: 0 mSec
Timeline: Process.Start
Name: <blank>
Time: 2020-01-13T12:12:10.0Z
Diff: 2126000 mSec
Timeline: OS.Boot
Name: <blank>
Time: 2020-01-11T03:30:06.0Z
Diff: 206250000 mSec
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
MODLIST_WITH_TSCHKSUM_HASH: 72b14d4437af6d09da2d9fe2a592f06ddf20b1ca
MODLIST_SHA1_HASH: 6ce0e83b6da7c6a553d1e322f42f958f3d7a27e9
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
FAULTING_IP:
igc64!OpenCompiler12+5293b
00007ffc`7135a0cb 8901 mov dword ptr [rcx],eax
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffc7135a0cb (igc64!OpenCompiler12+0x000000000005293b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000000000058
Attempt to write to address 0000000000000058
FAULTING_THREAD: 000036b8
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_WRITE
PROCESS_NAME: POC_EXEC11.exe
FOLLOWUP_IP:
igc64!OpenCompiler12+5293b
00007ffc`7135a0cb 8901 mov dword ptr [rcx],eax
WRITE_ADDRESS: 0000000000000058
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 0000000000000058
WATSON_BKT_PROCSTAMP: 5e1b04b9
WATSON_BKT_MODULE: igc64.dll
WATSON_BKT_MODSTAMP: 5ddcfccd
WATSON_BKT_MODOFFSET: a9a0cb
WATSON_BKT_MODVER: 26.20.100.7584
MODULE_VER_PRODUCT: Intel HD Graphics Drivers for Windows(R)
BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_HOST: IAMLEGION
ANALYSIS_SESSION_TIME: 01-13-2020 13:47:36.0878
ANALYSIS_VERSION: 10.0.18914.1001 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: PLK
BUGCHECK_STR: APPLICATION_FAULT_NULL_CLASS_PTR_WRITE_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_WRITE
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
PROBLEM_CLASSES:
ID: [0n313]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x36b8]
Frame: [0] : igc64!OpenCompiler12
ID: [0n286]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x36b8]
Frame: [0] : igc64!OpenCompiler12
ID: [0n309]
Type: [NULL_CLASS_PTR_DEREFERENCE]
Class: Primary
Scope: BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x36b8]
Frame: [0] : igc64!OpenCompiler12
ID: [0n311]
Type: [NULL_CLASS_PTR_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0x678]
TID: [0x36b8]
Frame: [0] : igc64!OpenCompiler12
LAST_CONTROL_TRANSFER: from 00007ffc7138c2c3 to 00007ffc7135a0cb
STACK_TEXT:
0000005f`679e8220 00007ffc`7138c2c3 : 00000000`00000000 00000000`00000002 000001f3`ab741f70 00000000`00000000 : igc64!OpenCompiler12+0x5293b
0000005f`679e8290 00007ffc`71338e7e : 00000000`00000000 0000005f`679e9dd0 00000000`00000000 0000005f`00000000 : igc64!OpenCompiler12+0x84b33
0000005f`679e8550 00007ffc`713344e3 : 000001f3`ab74ca84 00000000`00000001 000001f3`ab74fc28 000001f3`ab74fc28 : igc64!OpenCompiler12+0x316ee
0000005f`679ee000 00007ffc`713341a3 : 00000000`00000000 000001f3`ab740670 000001f3`ab74ca84 000001f3`ab738650 : igc64!OpenCompiler12+0x2cd53
0000005f`679ee040 00007ffc`7133406f : 000001f3`ab74ca84 000001f3`ab74ca84 000001f3`ab74ca84 000001f3`ab73e570 : igc64!OpenCompiler12+0x2ca13
0000005f`679ee140 00007ffc`7130c15d : 000001f3`ab738768 000001f3`ab749360 00000000`00000000 000001f3`a7652430 : igc64!OpenCompiler12+0x2c8df
0000005f`679ee1d0 00007ffc`7130b40d : 000001f3`ab7387a8 000001f3`ab738768 000001f3`a7652430 00007ffc`837dbabb : igc64!OpenCompiler12+0x49cd
0000005f`679ee220 00007ffc`7130cbd3 : ffffffff`00000000 00000000`00000000 000001f3`ab72ca60 00007ffc`75011d33 : igc64!OpenCompiler12+0x3c7d
0000005f`679ee2f0 00007ffc`749e7a43 : 000001f3`ab738650 00000000`00000001 0000005f`679ee480 00007ffc`7502f3c8 : igc64!OpenCompiler12+0x5443
0000005f`679ee330 00007ffc`750fa9f0 : 000001f3`ab707ff0 00000000`00000001 000001f3`ab73a6b0 0000005f`679ee480 : igd10iumd64!OpenAdapter10_2+0x120423
0000005f`679ee380 00007ffc`7cc06f58 : 00000000`00000000 000001f3`ab738138 000001f3`ab7059a8 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x8333d0
0000005f`679ee5d0 00007ffc`7cc093d7 : 000001f3`ab74ca84 00000000`00000000 000093bc`4192571d 00000000`0000120c : d3d11!CHullShader::CLS::FinalConstruct+0x23c
0000005f`679ee8c0 00007ffc`7cc09311 : 0000005f`679eefa0 00007ffc`7cde2388 000001f3`ab737fd0 00000000`00001292 : d3d11!CLayeredObjectWithCLS<CHullShader>::FinalConstruct+0xa3
0000005f`679ee950 00007ffc`7cc1efff : 000001f3`ab738028 0000005f`679eefa0 0000005f`679eefd0 00007ffc`7cde2388 : d3d11!CLayeredObjectWithCLS<CHullShader>::CreateInstance+0x13d
0000005f`679ee9b0 00007ffc`7cc2b17d : 00000000`00000000 000001f3`ab737fd0 00000000`00000000 00000000`00000000 : d3d11!CDevice::CreateLayeredChild+0xe2f
0000005f`679eedf0 00007ffc`7cc2b950 : 000001f3`ab737fd0 00000000`00000014 00000000`00000830 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
0000005f`679eef60 00007ffc`7cc09a5a : 000001f3`ab705170 00000000`00000014 00000000`0000000a 00000000`00000000 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
0000005f`679ef150 00007ff6`cb7027a1 : 00000000`80070057 000001f3`ab74c3b0 00000000`00026778 00000000`00000001 : d3d11!CDevice::CreateHullShader+0x1ba
0000005f`679ef2c0 00007ff6`cb7042a7 : 000001f3`a5666420 00000000`00026778 000001f3`ab7059b8 00000000`00000000 : POC_EXEC11+0x27a1
0000005f`679ef330 00007ff6`cb70c880 : 00000000`00000000 000001f3`a56b6674 000001f3`a5691c80 000001f3`00026778 : POC_EXEC11+0x42a7
0000005f`679ef760 00007ff6`cb70a8cc : 00000000`00000000 00000000`00000000 00000000`00000001 00007ffc`00000000 : POC_EXEC11+0xc880
0000005f`679ef860 00007ff6`cb70a26c : 00000000`00000000 0043004f`0050005c 00000000`00000000 005f0031`00310043 : POC_EXEC11+0xa8cc
0000005f`679efa80 00007ff6`cb70324a : 000001f3`a5691c80 00000000`00000000 000001f3`a5691c80 000001f3`a5668640 : POC_EXEC11+0xa26c
0000005f`679efc70 00007ff6`cb72f5aa : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0x324a
0000005f`679efcc0 00007ffc`82497bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0x2f5aa
0000005f`679efd00 00007ffc`8380ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0000005f`679efd30 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
STACK_COMMAND: ~0s ; .cxr ; kb
THREAD_SHA1_HASH_MOD_FUNC: b3201fce2db26d776420945124eef44b5c732f1b
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ee3182307f7e3cbb9e586e2b9c1b5ffcf6475752
THREAD_SHA1_HASH_MOD: 1f0981e78c9e111da5964562765aa3ddad22fedf
FAULT_INSTR_CODE: 8b490189
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: igc64!OpenCompiler12+5293b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: igc64
IMAGE_NAME: igc64.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5ddcfccd
FAILURE_BUCKET_ID: NULL_CLASS_PTR_WRITE_c0000005_igc64.dll!OpenCompiler12
BUCKET_ID: APPLICATION_FAULT_NULL_CLASS_PTR_WRITE_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_WRITE_igc64!OpenCompiler12+5293b
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: igc64.dll
BUCKET_ID_IMAGE_STR: igc64.dll
FAILURE_MODULE_NAME: igc64
BUCKET_ID_MODULE_STR: igc64
FAILURE_FUNCTION_NAME: OpenCompiler12
BUCKET_ID_FUNCTION_STR: OpenCompiler12
BUCKET_ID_OFFSET: 5293b
BUCKET_ID_MODTIMEDATESTAMP: 5ddcfccd
BUCKET_ID_MODCHECKSUM: 2450ddb
BUCKET_ID_MODVER_STR: 0.0.0.0
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_NULL_CLASS_PTR_WRITE_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_WRITE_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: igc64.dll!OpenCompiler12
TARGET_TIME: 2020-01-13T12:49:13.000Z
OSBUILD: 18362
OSSERVICEPACK: 329
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 190318-1202
BUILDLAB_STR: 19h1_release
BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_ELAPSED_TIME: 17b29
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:null_class_ptr_write_c0000005_igc64.dll!opencompiler12
FAILURE_ID_HASH: {7bbc52a9-77ac-42fd-f21f-7d7a5e807d81}
Followup: MachineOwner
---------
2020-01-27 - Vendor Disclosure
2020-04-01 - Disclosure deadline extended
2020-07-14 - Public Release
Discovered by Piotr Bania of Cisco Talos.