Missing Bounds Check in Inner Loop of Escape Handler for 0x7000014

vendor:

N/A

by:

Project Zero

7,8

CVSS

HIGH

Stack Buffer Overflow

119

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2020

Missing Bounds Check in Inner Loop of Escape Handler for 0x7000014

There is a missing bounds check in inner loop of the escape handler for 0x7000014 that leads to a stack buffer overflow. The attached PoC gives the following crashing context (Win 10 x64, 372.54): DRIVER_OVERRAN_STACK_BUFFER (f7). A driver has overrun a stack-based buffer. This overrun could potentially allow a malicious user to gain control of this machine.

Mitigation:

Ensure that bounds checks are performed on user-controlled data before it is used to access memory.

Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=946

There is a missing bounds check in inner loop of the escape handler for 0x7000014
that leads to a stack buffer overflow:

...
for (DWORD i = 0; < escape->num_data; ++i) {
  ...
  // size is user controlled.
  size = escape->data[i].size;
  for (DWORD j = 0; j < size; ++j) {
     stack_buf[j] = escape->data[...];
  } 
}

The attached PoC gives me the following crashing context (Win 10 x64, 372.54):

DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer.  This overrun could potentially
allow a malicious user to gain control of this machine.
...
ffffd000`23f94a78 fffff801`6e5deaf2 : ffffd000`23f95270 00000000`000000f7 ffffd000`23f94be0 fffff801`6e43c848 : nt!DbgBreakPointWithStatus
ffffd000`23f94a80 fffff801`6e5de4c3 : 00000000`00000003 ffffd000`23f94be0 fffff801`6e56c600 00000000`000000f7 : nt!KiBugCheckDebugBreak+0x12
ffffd000`23f94ae0 fffff801`6e55fa44 : 00000000`00000000 00000000`00000000 ffffc001`c8e7202c fffff801`6e7188b8 : nt!KeBugCheck2+0x893
ffffd000`23f951f0 fffff800`c58e2bc6 : 00000000`000000f7 ffffd000`23f95270 000044dd`b2c37fec ffffbb22`4d3c8013 : nt!KeBugCheckEx+0x104
ffffd000`23f95230 fffff800`c57ba4ce : ffffd000`23f95220 ffffe000`69a62000 00000000`00000001 00000000`07000014 : nvlddmkm+0x192bc6
ffffd000`23f95270 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvlddmkm+0x6a4ce


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40667.zip