40 lines
No EOL
1.8 KiB
Text
40 lines
No EOL
1.8 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=936
|
|
|
|
The DxgkDdiEscape handler for 0x7000170 lacks proper bounds checks for the variable size
|
|
input escape data, and relies on a user provided size as the upper bound for writing output.
|
|
|
|
Crashing context with PoC (Win 10 x64 with 372.54):
|
|
|
|
KERNEL_SECURITY_CHECK_FAILURE (139)
|
|
A kernel component has corrupted a critical data structure. The corruption
|
|
could potentially allow a malicious user to gain control of this machine.
|
|
...
|
|
|
|
rax=fffff801f417e600 rbx=0000000000000000 rcx=0000000000000002
|
|
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
|
|
rip=fffff801f4152b75 rsp=ffffd000287b4468 rbp=ffffd000287b53e8
|
|
r8=fffff801f4169e24 r9=ffffd000287b5620 r10=ffffd000287b5620
|
|
r11=0000000000000450 r12=0000000000000000 r13=0000000000000000
|
|
r14=0000000000000000 r15=0000000000000000
|
|
iopl=0 nv up ei ng nz ac pe nc
|
|
dxgkrnl!_report_gsfailure+0x5:
|
|
fffff801`f4152b75 cd29 int 29h
|
|
Resetting default scope
|
|
|
|
EXCEPTION_RECORD: ffffd000287b4228 -- (.exr 0xffffd000287b4228)
|
|
ExceptionAddress: fffff801f4152b75 (dxgkrnl!_report_gsfailure+0x0000000000000005)
|
|
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
|
|
ExceptionFlags: 00000001
|
|
NumberParameters: 1
|
|
Parameter[0]: 0000000000000002
|
|
Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE
|
|
|
|
To reproduce, compile the PoC as a x64 binary (requires linking with
|
|
setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes
|
|
as for it to work as the escape data must contain the right values (e.g. a
|
|
field that appears to be gpu bus device function). My PoC should hopefully set
|
|
all the right values for the machine it's running on.
|
|
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40662.zip |