NVIDIA Driver – Stack Buffer Overflow in Escape 0x10000e9

• Exploit Database
• 19 阅读

• 作者： Google Security Research
  日期： 2016-10-31
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40668/

• Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=947
  
  The escape handler for 0x10000e9 lacks bounds checks, and passes a user
  specified size as the size to memcpy, resulting in a stack buffer overflow:
  
  bool escape_10000e9(NvMiniportDeviceContext *a1, Escape10000e9 *escape) {
  ...
  LOBYTE(a9) = escape_->unknown_5[1] != 0;
  LOBYTE(a8) = escape_->unknown_5[0] != 0;
  if ( !sub_DC57C(
  *(_QWORD *)(*(_QWORD *)(v4 + 104) + 1000i64),
  escape_->unknown_1,
  escape_->unknown_2,
  escape_->unknown_3,
  escape_->unknown_4,
  escape_->data,
  escape_->size,
  a8,
  a9,
  &escape_->unknown_5[2]) )
  return 0;
  escape_->header.result = 1;
  return 1;
  }
  
  char sub_DC57C(...) {
  ...
  // escape_buf is escape_->data from previous function
  // buf_size is escape->size
  memcpy(&stack_buf, escape_buf, (unsigned int)buf_size);
  ...
  
  Crashing context (Win 10 x64, 372.54):
  
  DRIVER_OVERRAN_STACK_BUFFER (f7)
  A driver has overrun a stack-based buffer.This overrun could potentially
  allow a malicious user to gain control of this machine.
  ...
  
  STACK_TEXT:
  ffffd000`263bc188 fffff803`9d1deaf2 : 9d919d43`2d3cc8a7 00000000`000000f7 ffffd000`263bc2f0 fffff803`9d03c848 : nt!DbgBreakPointWithStatus
  ffffd000`263bc190 fffff803`9d1de4c3 : 00000000`00000003 ffffd000`263bc2f0 fffff803`9d16c600 00000000`000000f7 : nt!KiBugCheckDebugBreak+0x12
  ffffd000`263bc1f0 fffff803`9d15fa44 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffc000`494d4764 : nt!KeBugCheck2+0x893
  ffffd000`263bc900 fffff800`ad8c2bc6 : 00000000`000000f7 9d919d43`2d3cc8a7 0000f6ec`74dc94fc ffff0913`8b236b03 : nt!KeBugCheckEx+0x104
  ffffd000`263bc940 fffff800`ad7fc6f7 : c0004492`55400400 ffff8000`00000000 ffffc000`44925540 00000000`00000000 : nvlddmkm+0x192bc6
  ffffd000`263bc980 ffffc000`585e78a0 : 00000000`000005d4 00430043`00310030 4666744e`03610107 00000000`00000000 : nvlddmkm+0xcc6f7
  ffffd000`263bce70 00000000`000005d4 : 00430043`00310030 4666744e`03610107 00000000`00000000 00000c48`01380702 : 0xffffc000`585e78a0
  ffffd000`263bce78 00430043`00310030 : 4666744e`03610107 00000000`00000000 00000c48`01380702 00010000`000166c2 : 0x5d4
  ffffd000`263bce80 4666744e`03610107 : 00000000`00000000 00000c48`01380702 00010000`000166c2 00000000`00000000 : 0x00430043`00310030
  ffffd000`263bce88 00000000`00000000 : 00000c48`01380702 00010000`000166c2 00000000`00000000 00000000`00000000 : 0x4666744e`03610107
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40668.zip