A local code execution vulnerability that affects the Intel HD Graphics Kernel Mode Driver for Windows could allow an attacker to run arbitrary code on a target system or cause denial of service, Cisco Talos researchers discovered.
Tracked as CVE-2016-5647, the security issue was discovered in the communication functionality of Intel Graphics Kernel Mode Driver. An attacker can exploit the vulnerability by sending a specific message to escalate privileges on the local system and cause a system crash (denial of service), or execute arbitrary code.
The vulnerability was discovered by Piotr Bania in Intel HD Graphics Windows Kernel Mode Driver version 10.18.14.4264 and requires physical access to the impacted machine to be exploited. The sending of a specially crafted D3DKMTEscape request to the Intel HD Graphics driver results in a NULL dereference and an attacker can leverage the vulnerability for their own benefits, the researcher notes in an advisory.
However, the exploitation of the flaw is limited to local contexts, and Cisco’s researcher explains that the severity of the vulnerability depends on the system an adversary would be trying to exploit. Windows 7 or earlier systems can be targeted for arbitrary code execution in the context of SYSTEM, while Windows 8 or later systems are only prone to a system crash (denial of service).
According to Cisco Talos’ Earl Carter, an attacker would require the ability to allocate or map the NULL page in Windows to exploit the bug for arbitrary code execution. In Windows 7 or earlier, the NTVDM (NT Virtual DOS Machine) subsystem can be used to allocate or map the NULL page.
“When a NULL dereference occurs in kernel space, the user-mode application that caused a context switch is still mapped in lower memory. An attacker can take advantage of this and map the NULL page before triggering the vulnerability to control the contents of the dereference. In this case, the user-controlled value could be a function pointer and lead to arbitrary code execution,” the researcher explains.
Microsoft removed the NTVDM subsystem from the 64-bit version Windows 8 and later to mitigate the attack type, while 32-bit version of Windows 8 or newer have NTVDM disabled by default. According to Cisco’s researcher, however, these mitigations are not foolproof, because “another driver could possibly be manipulated into placing user controlled data at the NULL page.” However, this is not a generic case like the usermode mapping.
According to Carter, the main issue here is backwards compatibility, which can be exploited by adversaries who are aware that many organizations cannot upgrade to newer platform releases due to legacy application requirements. Thus, businesses need to find other ways to mitigate attacks, such as ensuring they keep their operating system updated with the latest security patches.
Related: Intel Patches Vulnerability in Driver Update Utility