- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 40668
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- cve-2016-8807
- Дата публикации
- 2016-10-31
NVIDIA Driver - Stack Buffer Overflow in Escape 0x10000e9
Код:
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=947
The escape handler for 0x10000e9 lacks bounds checks, and passes a user
specified size as the size to memcpy, resulting in a stack buffer overflow:
bool escape_10000e9(NvMiniportDeviceContext *a1, Escape10000e9 *escape) {
...
LOBYTE(a9) = escape_->unknown_5[1] != 0;
LOBYTE(a8) = escape_->unknown_5[0] != 0;
if ( !sub_DC57C(
*(_QWORD *)(*(_QWORD *)(v4 + 104) + 1000i64),
escape_->unknown_1,
escape_->unknown_2,
escape_->unknown_3,
escape_->unknown_4,
escape_->data,
escape_->size,
a8,
a9,
&escape_->unknown_5[2]) )
return 0;
escape_->header.result = 1;
return 1;
}
char sub_DC57C(...) {
...
// escape_buf is escape_->data from previous function
// buf_size is escape->size
memcpy(&stack_buf, escape_buf, (unsigned int)buf_size);
...
Crashing context (Win 10 x64, 372.54):
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
...
STACK_TEXT:
ffffd000`263bc188 fffff803`9d1deaf2 : 9d919d43`2d3cc8a7 00000000`000000f7 ffffd000`263bc2f0 fffff803`9d03c848 : nt!DbgBreakPointWithStatus
ffffd000`263bc190 fffff803`9d1de4c3 : 00000000`00000003 ffffd000`263bc2f0 fffff803`9d16c600 00000000`000000f7 : nt!KiBugCheckDebugBreak+0x12
ffffd000`263bc1f0 fffff803`9d15fa44 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffc000`494d4764 : nt!KeBugCheck2+0x893
ffffd000`263bc900 fffff800`ad8c2bc6 : 00000000`000000f7 9d919d43`2d3cc8a7 0000f6ec`74dc94fc ffff0913`8b236b03 : nt!KeBugCheckEx+0x104
ffffd000`263bc940 fffff800`ad7fc6f7 : c0004492`55400400 ffff8000`00000000 ffffc000`44925540 00000000`00000000 : nvlddmkm+0x192bc6
ffffd000`263bc980 ffffc000`585e78a0 : 00000000`000005d4 00430043`00310030 4666744e`03610107 00000000`00000000 : nvlddmkm+0xcc6f7
ffffd000`263bce70 00000000`000005d4 : 00430043`00310030 4666744e`03610107 00000000`00000000 00000c48`01380702 : 0xffffc000`585e78a0
ffffd000`263bce78 00430043`00310030 : 4666744e`03610107 00000000`00000000 00000c48`01380702 00010000`000166c2 : 0x5d4
ffffd000`263bce80 4666744e`03610107 : 00000000`00000000 00000c48`01380702 00010000`000166c2 00000000`00000000 : 0x00430043`00310030
ffffd000`263bce88 00000000`00000000 : 00000c48`01380702 00010000`000166c2 00000000`00000000 00000000`00000000 : 0x4666744e`03610107
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40668.zip
- Источник
- www.exploit-db.com