[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

NVIDIA Driver - Missing Bounds Check in Escape 0x70000d5 Exploit

Author
Google Security Research
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-26181
Category
dos / poc
Date add
01-11-2016
CVE
CVE-2016-8808
Platform
windows
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=944
 
The DxgkDdiEscape handler for 0x70000d5 lacks bounds checks:
  
 ...
  
 if ( g_saved_size )
  {
    escape->size = g_saved_size;
    if ( (unsigned int)g_saved_size > 0 )
    {
      do
      {
        v5 = v2++;
        escape->data[v5] = global_array[v5 + 77];
      }
      while ( v2 < g_saved_size );
    }
    return;
  }
  data = 0i64;
 
 
  ...
  if ( escape->size > 0 )
  {
    do
    {
      ii = i++;
      global_array[ii + 77] = escape->data[ii];
    }
    while ( i < escape->size );
 
  ...
  g_saved_size = escape->size;
 
This handler copies data to/from a global array, but lacks any form of bounds checking, as
|escape->size| is controlled by the user. This leads to overflow of the global buffer, and pool overflows
when it's copied back into the escape data.
 
A PoC is attached that should cause a crash (Win 10 x64, 372.54):
 
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000002, Stack cookie instrumentation code detected a stack-based
    buffer overrun.
Arg2: ffffd00022de52c0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd00022de5218, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40666.zip

#  0day.today [2024-12-25]  #