Subscribe via feed.

NVIDIA NvStreamKms PsSetCreateProcessNotifyRoutineEx Stack Buffer Overflow

Posted by deepcore on October 31, 2016 – 11:54 pm

The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a process creation notification routine. wcscpy_s is used incorrectly here, as the second argument is not the size of |Dst|, but rather the calculated size of the filename. |Dst| is a stack buffer that is at least 255 characters long. The the maximum component paths of most filesystems on Windows have a limit that is <= 255 though, so this shouldn't be an issue on normal filesystems. However, one can pass UNC paths to CreateProcessW containing forward slashes as the path delimiter, which means that the extracted filename here can be "a/b/c/…", leading to a buffer overflow. Additionally, this function has no stack cookie.


This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.