DxgkDdiEscape handler for escape code 0x100010b

vendor:

N/A

by:

Project Zero

7,2

CVSS

HIGH

Out-of-bounds write

787

CWE

Product Name: N/A

Affected Version From: Win x64 372.54

Affected Version To: Win x64 372.54

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2016

DxgkDdiEscape handler for escape code 0x100010b

The DxgkDdiEscape handler for escape code 0x100010b takes in a user mode event handle from userspace, and calls ObReferenceObjectByHandle on it, writing the object pointer to |Object|. Note that the kernel implementation of ObReferenceObjectByHandle always begins with writing NULL to this pointer regardless of whether or not the handle is valid. |Object| is calculated using a user provided index that is not bounds checked, leading to OOB write of either NULL or the KEVENT pointer.

Mitigation:

Ensure that user-supplied indices are properly bounds-checked before being used to access an array.

Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=927

The DxgkDdiEscape handler for escape code 0x100010b looks like:

char escape_100010b(NvMiniportDeviceContext *miniport_context, HANDLE handle, unsigned int idx)
{
  PVOID *Object;
  if ( !handle )
    do_debug_thingo();
  Object = (PVOID *)&miniport_context->UNKNOWN[8 * idx + 22696];
  if ( !ObReferenceObjectByHandle(handle_, SYNCHRONIZE, )ExEventObjectType, UserMode, Object, 0i64) )
  {
    result = 0;
    if ( *Object )
      result = UserMode;
  }
  return result;
}

It essentially takes in a user mode event handle from userspace, and calls
ObReferenceObjectByHandle on it, writing the object pointer to |Object|. Note
that the kernel implementation of ObReferenceObjectByHandle always begins with
writing NULL to this pointer regardless of whether or not the handle is valid.

|Object| is calculated using a user provided index that is not bounds checked,
leading to OOB write of either NULL or the KEVENT pointer:

Object = (PVOID *)&miniport_context_->UNKNOWN[8 * idx + 22696];

The attached PoC causes the following crashing context on Win x64 372.54:

PAGE_FAULT_IN_NONPAGED_AREA (50)
...
rax=ffffe0025ea28f50 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000100000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801d8f3daf5 rsp=ffffd000203deda0 rbp=0000000000000001
 r8=ffffe000506d4b50  r9=ffffe000524fb201 r10=0000000000000000
r11=ffffd000203df370 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
nt!ObReferenceObjectByHandleWithTag+0x45:
fffff801`d8f3daf5 488908          mov     qword ptr [rax],rcx ds:ffffe002`5ea28f50=????????????????

To reproduce, compile as a x64 executable and run (requires WDK for D3DKMTEscape).


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40661.zip