NVIDIA Driver - Stack Buffer Overflow in Escape 0x10000e9

EDB-ID:

40668

CVE:

2016-8807

EDB Verified:

Author:

Google Security Research

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2016-10-31

Vulnerable App: 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=947

The escape handler for 0x10000e9 lacks bounds checks, and passes a user
specified size as the size to memcpy, resulting in a stack buffer overflow:

bool escape_10000e9(NvMiniportDeviceContext *a1, Escape10000e9 *escape) {
  ...
  LOBYTE(a9) = escape_->unknown_5[1] != 0;
  LOBYTE(a8) = escape_->unknown_5[0] != 0;
  if ( !sub_DC57C(
          *(_QWORD *)(*(_QWORD *)(v4 + 104) + 1000i64),
          escape_->unknown_1,
          escape_->unknown_2,
          escape_->unknown_3,
          escape_->unknown_4,
          escape_->data,
          escape_->size,
          a8,
          a9,
          &escape_->unknown_5[2]) )
    return 0;
  escape_->header.result = 1;
  return 1;
}

char sub_DC57C(...) {
  ...
  // escape_buf is escape_->data from previous function
  // buf_size is escape->size
  memcpy(&stack_buf, escape_buf, (unsigned int)buf_size);
  ...

Crashing context (Win 10 x64, 372.54):

DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer.  This overrun could potentially
allow a malicious user to gain control of this machine.
...

STACK_TEXT:  
ffffd000`263bc188 fffff803`9d1deaf2 : 9d919d43`2d3cc8a7 00000000`000000f7 ffffd000`263bc2f0 fffff803`9d03c848 : nt!DbgBreakPointWithStatus
ffffd000`263bc190 fffff803`9d1de4c3 : 00000000`00000003 ffffd000`263bc2f0 fffff803`9d16c600 00000000`000000f7 : nt!KiBugCheckDebugBreak+0x12
ffffd000`263bc1f0 fffff803`9d15fa44 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffc000`494d4764 : nt!KeBugCheck2+0x893
ffffd000`263bc900 fffff800`ad8c2bc6 : 00000000`000000f7 9d919d43`2d3cc8a7 0000f6ec`74dc94fc ffff0913`8b236b03 : nt!KeBugCheckEx+0x104
ffffd000`263bc940 fffff800`ad7fc6f7 : c0004492`55400400 ffff8000`00000000 ffffc000`44925540 00000000`00000000 : nvlddmkm+0x192bc6
ffffd000`263bc980 ffffc000`585e78a0 : 00000000`000005d4 00430043`00310030 4666744e`03610107 00000000`00000000 : nvlddmkm+0xcc6f7
ffffd000`263bce70 00000000`000005d4 : 00430043`00310030 4666744e`03610107 00000000`00000000 00000c48`01380702 : 0xffffc000`585e78a0
ffffd000`263bce78 00430043`00310030 : 4666744e`03610107 00000000`00000000 00000c48`01380702 00010000`000166c2 : 0x5d4
ffffd000`263bce80 4666744e`03610107 : 00000000`00000000 00000c48`01380702 00010000`000166c2 00000000`00000000 : 0x00430043`00310030
ffffd000`263bce88 00000000`00000000 : 00000c48`01380702 00010000`000166c2 00000000`00000000 00000000`00000000 : 0x4666744e`03610107


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40668.zip
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services