Vulnerabilities > CVE-2016-8823 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nvidia GPU Driver

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
nvidia
CWE-119
nessus

Summary

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler for DxgDdiEscape where the size of an input buffer is not validated leading to a denial of service or possible escalation of privileges

Vulnerable Configurations

Part Description Count
Application
Nvidia
1
OS
Microsoft
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

NASL familyWindows
NASL idNVIDIA_WIN_CVE_2016_8826.NASL
descriptionThe version of the NVIDIA GPU display driver installed on the remote Windows host is 340.x prior to 342.01 or 375.x prior to 376.33. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape due to improper access controls. A local attacker can exploit this to access arbitrary memory and thereby gain elevated privileges. (CVE-2016-8821) - A flaw exists in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape IDs 0x600000E, 0x600000F, and 0x6000010 due to improper validation of user-supplied input that is used as an index to an internal array. A local attacker can exploit this to corrupt memory, resulting in a denial of service condition or an escalation of privileges. (CVE-2016-8822) - Multiple buffer overflow conditions exist in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape due to improper validation of an input buffer size. A local attacker can exploit these to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-8823, CVE-2016-8825) - A flaw exists in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape due to improper access controls. A local attacker can exploit this to write to restricted portions of the registry and thereby gain elevated privileges. (CVE-2016-8824) - A flaw exists in the nvlddmkm.sys driver that allows a local attacker to cause GPU interrupt saturation, resulting in a denial of service condition. (CVE-2016-8826)
last seen2020-06-01
modified2020-06-02
plugin id96002
published2016-12-21
reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/96002
titleNVIDIA Windows GPU Display Driver 340.x < 342.01 / 375.x < 376.33 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(96002);
  script_version("1.6");
  script_cvs_date("Date: 2018/11/15 20:50:27");

  script_cve_id(
    "CVE-2016-8821",
    "CVE-2016-8822",
    "CVE-2016-8823",
    "CVE-2016-8824",
    "CVE-2016-8825",
    "CVE-2016-8826"
  );
  script_bugtraq_id(
    94918,
    94956,
    94957
  );

  script_name(english:"NVIDIA Windows GPU Display Driver 340.x < 342.01 / 375.x < 376.33 Multiple Vulnerabilities");
  script_summary(english:"Checks the driver version.");

  script_set_attribute(attribute:"synopsis", value:
"A display driver installed on the remote Windows host is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of the NVIDIA GPU display driver installed on the remote
Windows host is 340.x prior to 342.01 or 375.x prior to 376.33. It is,
therefore, affected by multiple vulnerabilities :

  - A flaw exists in the kernel mode layer (nvlddmkm.sys)
    handler for DxgDdiEscape due to improper access
    controls. A local attacker can exploit this to access
    arbitrary memory and thereby gain elevated privileges.
    (CVE-2016-8821)

  - A flaw exists in the kernel mode layer (nvlddmkm.sys)
    handler for DxgDdiEscape IDs 0x600000E, 0x600000F, and
    0x6000010 due to improper validation of user-supplied
    input that is used as an index to an internal array. A
    local attacker can exploit this to corrupt memory,
    resulting in a denial of service condition or an
    escalation of privileges. (CVE-2016-8822)

  - Multiple buffer overflow conditions exist in the kernel
    mode layer (nvlddmkm.sys) handler for DxgDdiEscape due
    to improper validation of an input buffer size. A local
    attacker can exploit these to cause a denial of service
    condition or the execution of arbitrary code.
    (CVE-2016-8823, CVE-2016-8825)

  - A flaw exists in the kernel mode layer (nvlddmkm.sys)
    handler for DxgDdiEscape due to improper access
    controls. A local attacker can exploit this to write to
    restricted portions of the registry and thereby gain
    elevated privileges. (CVE-2016-8824)

  - A flaw exists in the nvlddmkm.sys driver that allows a
    local attacker to cause GPU interrupt saturation,
    resulting in a denial of service condition.
    (CVE-2016-8826)");
  script_set_attribute(attribute:"see_also", value:"https://nvidia.custhelp.com/app/answers/detail/a_id/4278");
  script_set_attribute(attribute:"solution", value:
"Upgrade the NVIDIA graphics driver to version 342.01 / 376.33 or
later.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/12/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/21");

  script_set_attribute(attribute:"plugin_type",value:"local");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:nvidia:gpu_driver");
  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");

  script_dependencies("wmi_enum_display_drivers.nbin");
  script_require_keys("WMI/DisplayDrivers/NVIDIA", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

kb_base = 'WMI/DisplayDrivers/';

# double check in case optimization is disabled
kbs = get_kb_list(kb_base + '*/Name');
if (isnull(kbs)) exit(0, 'No display drivers were found.');

report = '';

foreach kb (keys(kbs))
{
  name = kbs[kb];
  # only check NVIDIA drivers
  if ("NVIDIA" >!< name) continue;

  nvidia_found = TRUE;
  id = kb - kb_base - '/Name';
  version = get_kb_item_or_exit(kb_base + id + '/Version');
  driver_date = get_kb_item_or_exit(kb_base + id + '/DriverDate');

  disp_driver_date = driver_date;

  # convert to something we can pass to ver_compare (YYYY.MM.DD)
  driver_date = split(driver_date, sep:'/', keep:FALSE);
  driver_date = driver_date[2] + '.' + driver_date[0] + '.' + driver_date[1];

  fix = '';
  note = '';

  # R340 Branch includes 340.x, 341.x, 342.x
  if (version =~ "^34[012]\." && ver_compare(ver:version, fix:"342.01", strict:FALSE) == -1)
  {
    fix = '342.01';
    note = 'Only GeForce GPUs with Tesla architecture are affected.';
  }

  # R375 Branch includes 375.x, 376.x
  if (version =~ "^37[56]\." && ver_compare(ver:version, fix:"376.33", strict:FALSE) == -1)
    fix = '376.33';

  if (!empty(fix))
  {
    order = make_list('Device name','Driver version','Driver date','Fixed version');
    report = make_array(
      order[0],name,
      order[1],version,
      order[2],disp_driver_date,
      order[3],fix
      );

    if (!empty(note))
    {
      report['Note'] = note;
      order = make_list(order, 'Note');
    }
    report = report_items_str(report_items:report, ordered_fields:order);
  }
}

if (!nvidia_found) exit(0, 'No NVIDIA display drivers were found.');

if (!empty(report))
  security_report_v4(severity:SECURITY_HOLE, port:0, extra:report);
else
  exit(0, "No vulnerable NVIDIA display drivers were found.");

Seebug

bulletinFamilyexploit
description### Summary An local denial of service vulnerability exists in the communication functionality of Nvidia Windows Kernel Mode Driver. A specially crafted message can cause a vulnerability resulting in a machine crash (BSOD). An attacker can send a specific message to trigger this vulnerability. ### Tested Versions (Requires physical machine) - Nvidia Windows Kernel Mode Driver, 372.70 (21.21.13.7270) - Nvidia Windows Kernel Mode Driver, 372.90 (21.21.13.7290) ### Product URLs http://nvidia.com ### CVSSv3 Score 5.5 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H ### Details An local denial of service vulnerability exists in the communication functionality of Nvidia Windows Kernel Mode Driver. A specially crafted D3DKMTEscape message can cause a vulnerability resulting in a machine crash (BSOD). An attacker can send a specific message to trigger this vulnerability. ``` 0x41, 0x44, 0x56, 0x4E, 0x02, 0x00, 0x01, 0x00, 0x40, 0x01, 0x00, 0x00, 0x2A, 0x2A, 0x56, 0x4E, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x4E, 0x00, 0x56, 0x00, 0x53, 0x00, 0x50, 0x00, 0x43, 0x00, 0x41, 0x00, 0x50, 0x00, 0x53, 0x00, 0x5C, 0x00, 0x61, 0x00, 0x61, 0x00, 0x31, 0x00, 0x38, 0x00, 0x65, 0x00, 0x62, 0x00, 0x63, 0x00, 0x34, 0x00, 0x2D, 0x00, 0x30, 0x00, 0x31, 0x00, 0x39, 0x00, 0x64, 0x00, 0x2D, 0x00, 0x34, 0x00, 0x65, 0x00, 0x63, 0x00, 0x30, 0x00, 0x2D, 0x00, 0x62, 0x00, 0x66, 0x00, 0x31, 0x00, 0x64, 0x00, 0x2D, 0x00, 0x64, 0x00, 0x36, 0x00, 0x33, 0x00, 0x30, 0x00, 0x30, 0x00, 0x32, 0x00, 0x31, 0x00, 0x38, 0x00, 0x62, 0x00, 0x66, 0x00, 0x35, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9F, 0x21, 0x93, 0x00, 0x32, 0xE1, 0x54, 0x00, 0x00, 0x80, 0x84, 0x1E, 0x00 ``` This bug happens because the ZwSetValueKey API is executed by the Nvidia driver with an invalid argument. ### Crash Information ``` 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffd00026a46000, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff801b0bcfc20, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) Debugging Details: ------------------ READ_ADDRESS: ffffd00026a46000 FAULTING_IP: nt!memcpy+a0 fffff801`b0bcfc20 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx] MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: AV PROCESS_NAME: intel1.exe CURRENT_IRQL: 0 ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre TRAP_FRAME: ffffd00026a44670 -- (.trap 0xffffd00026a44670) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=ffffc001f8688670 rdx=00000ffe2e3bd988 rsi=0000000000000000 rdi=0000000000000000 rip=fffff801b0bcfc20 rsp=ffffd00026a44808 rbp=00000000000054e1 r8=000000000000000c r9=00000000000001cc r10=ffffe00152d2ae68 r11=ffffc001f8688024 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc nt!memcpy+0xa0: fffff801`b0bcfc20 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx] ds:ffffd000`26a45ff8=???????????????????????????????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff801b0bde42c to fffff801b0bc33a0 STACK_TEXT: ffffd000`26a44408 fffff801`b0bde42c : 00000000`00000050 ffffd000`26a46000 00000000`00000000 ffffd000`26a44670 : nt!KeBugCheckEx ffffd000`26a44410 fffff801`b0af2d09 : 00000000`00000000 ffffe001`5c91b080 ffffd000`26a44670 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0xab6c ffffd000`26a444b0 fffff801`b0bcd62f : 00000000`00000000 ffffc001`f008dfc4 00000000`00000000 00000000`00000000 : nt!MmAccessFault+0x769 ffffd000`26a44670 fffff801`b0bcfc20 : fffff801`b0f26473 ffffe001`5d517301 ffffc001`00000006 ffffc001`f008dfc4 : nt!KiPageFault+0x12f ffffd000`26a44808 fffff801`b0f26473 : ffffe001`5d517301 ffffc001`00000006 ffffc001`f008dfc4 ffffd000`26a44860 : nt!memcpy+0xa0 ffffd000`26a44810 fffff801`b0fbcd18 : ffffc001`f8688024 00000000`00000000 00000000`001e8480 ffffc001`ee828000 : nt!CmpSetValueDataNew+0x157 ffffd000`26a44860 fffff801`b0f0f588 : 01d21329`ff575fe0 ffffd000`26a44991 ffffc001`f170fa70 00000025`00000003 : nt! ?? ::NNGAKEGL::`string'+0x27928 ffffd000`26a448d0 fffff801`b0e3a977 : ffffc001`f7837b50 ffffd000`26a44a40 ffffc001`00000003 ffffd000`26a459ac : nt!CmSetValueKey+0x784 ffffd000`26a449e0 fffff801`b0bcebb3 : ffffc001`ee8763a0 ffffd000`26a44c40 00000000`00000000 fffff801`b0e9bc1e : nt!NtSetValueKey+0x55f ffffd000`26a44bb0 fffff801`b0bc7020 : fffff801`4175a51a 00000000`000054e1 ffffd000`26a44e31 ffffd000`26a459ac : nt!KiSystemServiceCopyEnd+0x13 ffffd000`26a44db8 fffff801`4175a51a : 00000000`000054e1 ffffd000`26a44e31 ffffd000`26a459ac 00000000`000054e1 : nt!KiServiceLinkage ffffd000`26a44dc0 fffff801`4175a051 : 00000000`000054e1 ffffd000`26a459ac 00000000`000054e1 00000000`000054e1 : nvlddmkm+0xb751a ffffd000`26a44e80 fffff801`417944e7 : fffff801`41759fc0 ffffd000`26a45870 ffffd000`26a450b0 00000000`00000140 : nvlddmkm+0xb7051 ffffd000`26a44f20 fffff801`41763faf : 00000000`00000000 fffff801`b0dc97e0 ffffe001`52d2a080 ffffc001`ee803000 : nvlddmkm+0xf14e7 ffffd000`26a44f70 fffff801`41f44769 : ffffd000`26a45508 ffffd000`26a450b0 ffffd000`26a45870 00000000`00000000 : nvlddmkm+0xc0faf ffffd000`26a44fb0 fffff801`41f39e24 : ffffd000`26a45448 ffffd000`26a45658 ffffe001`5d517080 fffff801`b0bcebb3 : nvlddmkm!nvDumpConfig+0x1253a1 ffffd000`26a45410 fffff801`41f44136 : ffffe001`5665a000 ffffd000`26a45519 00000000`00000000 ffffe001`56a96000 : nvlddmkm!nvDumpConfig+0x11aa5c ffffd000`26a45450 fffff801`41efb43d : ffffd000`26a45780 ffffd000`26a455e9 ffffd000`26a45780 ffffe001`5665a000 : nvlddmkm!nvDumpConfig+0x124d6e ffffd000`26a45580 fffff801`413604f8 : 00000000`00000002 ffffe001`5c825220 00000000`4e562a2a 00000000`01000003 : nvlddmkm!nvDumpConfig+0xdc075 ffffd000`26a45650 fffff801`413c5b4e : 00000000`00000000 ffffd000`26a45b80 ffffd000`26a45ad0 fffff801`41463b98 : dxgkrnl!DXGADAPTER::DdiEscape+0x48 ffffd000`26a45680 fffff960`002d41d3 : ffffe001`5a294010 ffffe001`5d517080 00000000`7f82f000 ffffe001`5a294010 : dxgkrnl!DxgkEscape+0x802 ffffd000`26a45ab0 fffff801`b0bcebb3 : ffffe001`5d517080 00000000`7f82d000 00000000`0013fdb0 00000000`00000000 : win32k!NtGdiDdDDIEscape+0x53 ffffd000`26a45b00 00000000`773d74aa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 00000000`0013dfd8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x773d74aa STACK_COMMAND: kb FOLLOWUP_IP: nvlddmkm+b751a fffff801`4175a51a 85c0 test eax,eax SYMBOL_STACK_INDEX: b SYMBOL_NAME: nvlddmkm+b751a FOLLOWUP_NAME: MachineOwner MODULE_NAME: nvlddmkm IMAGE_NAME: nvlddmkm.sys DEBUG_FLR_IMAGE_TIMESTAMP: 57bf5593 FAILURE_BUCKET_ID: AV_nvlddmkm+b751a BUCKET_ID: AV_nvlddmkm+b751a ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:av_nvlddmkm+b751a FAILURE_ID_HASH: {4bb56d14-bad0-e413-eed6-722441b0442f} Followup: MachineOwner --------- ``` ### Timeline * 2016-09-30 - Initial Discovery * 2016-10-17 - Vendor Notification * 2016-12-14 - Public Disclosure
idSSV:96634
last seen2017-11-19
modified2017-10-10
published2017-10-10
reporterRoot
titleNvidia Windows Kernel Mode Driver Denial Of Service(CVE-2016-8823)

Talos

idTALOS-2016-0217
last seen2019-05-29
published2016-12-14
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0217
titleNvidia Windows Kernel Mode Driver Denial Of Service