Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 918 NVIDIA: (NvStreamKms) Stack buffer overflow in PsSetCreateProcessNotifyRoutineEx callback
Starred by 1 user Project Member Reported by ochang@google.com, Aug 27 2016 Back to list
Status: Fixed
Owner:
Closed: Oct 2016
Cc:



Sign in to add a comment
The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a
process creation notification routine.

In this particular routine,

if ( cur->image_names_count > 0 ) {
  // info_ is the PPS_CREATE_NOTIFY_INFO that is passed to the routine.
  image_filename = info_->ImageFileName;
  buf = image_filename->Buffer;
  if ( buf )
  {
    if ( !v5 )
    {
      i = 0i64;
      num_chars = image_filename->Length / 2;
      // Look for the filename by scanning for backslash.
      if ( num_chars )
      {
        while ( buf[num_chars - (unsigned int)i - 1] != '\\' )
        {
          i = (unsigned int)(i + 1);
          if ( (unsigned int)i >= num_chars )
            goto LABEL_39;
        }
        buf += num_chars - (unsigned __int64)(unsigned int)i;
      }
LABEL_39:
      v26 = (unsigned int)i;
      wcscpy_s((wchar_t *)Dst, i, buf);
      Dst[v26] = 0;
      wcslwr((wchar_t *)Dst);
      v5 = 1;

wcscpy_s is used incorrectly here, as the second argument is not the size of
|Dst|, but rather the calculated size of the filename. |Dst| is a stack buffer
that is at least 255 characters long. The the maximum component paths of most
filesystems on Windows have a limit that is <= 255 though, so this shouldn't be
an issue on normal filesystems.

However, one can pass UNC paths to CreateProcessW containing forward slashes as
the path delimiter, which means that the extracted filename here can be
"a/b/c/...", leading to a buffer overflow. Additionally, this function has no
stack cookie.

e.g.

CreateProcessW(L"\\\\?\\UNC\\127.0.0.1@8000\\DavWWWRoot\\..../..../..../blah.exe", ...

Crashing context with my PoC (Win 10 x64 with 372.54):

NvStreamKms+0x1c6a:
fffff801`5c791c6a c3              ret

kd> dqs rsp
ffffd000`25bc5d18  00410041`00410041

kd> t

...

KMODE_EXCEPTION_NOT_HANDLED (1e)
...
FAULTING_IP:
NvStreamKms+1c6a
fffff800`5b1d1c6a c3              ret

To reproduce, a WebDAV server is required (can be localhost), and the WebClient
service needs to be started (start can be triggered by user without additional privileges).

Then, run setup to create the long path to the target executable (you'll need to
change the base directories), and then run poc_part1, and then poc_part2 (with
the right UNC path) on the target machine.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
poc.zip
1.5 KB Download
Project Member Comment 1 by ochang@google.com, Aug 27 2016
(thanks to forshaw@ for pointing me to WebDAV :) )
Project Member Comment 2 by ochang@google.com, Aug 27 2016
Summary: NVIDIA: (NvStreamKms) Stack buffer overflow in PsSetCreateProcessNotifyRoutineEx callback (was: NvStreamKms: Stack buffer overflow in PsSetCreateProcessNotifyRoutineEx callback)
Project Member Comment 3 by ochang@google.com, Oct 7 2016
proof of concept local privesc exploit.
exploit.zip
116 KB Download
Project Member Comment 4 by ochang@google.com, Oct 28 2016
Labels: CVE-2016-8812
Project Member Comment 5 by ochang@google.com, Oct 28 2016
Labels: -Restrict-View-Commit
Status: Fixed
Fixed. Bulletin: http://nvidia.custhelp.com/app/answers/detail/a_id/4247
Sign in to add a comment