Intel HD Graphics Windows Kernel Driver (igdkmd64) Code Execution Vulnerability(CVE-2016-5647)

### SUMMARYA vulnerability exists in the communication functionality of Intel Graphics Kernel Mode Driver. A specially crafted message can cause a vulnerability resulting in executing arbitrary code. An attacker can send specific message to trigger this vulnerability and escalate his privileges on the local system.### TESTED VERSIONSIntel HD Graphics Windows Kernel Mode Driver, Version 10.18.14.4264 (requires physical machine)### PRODUCT URLshttp://intel.com### CVSSv3 SCORE8.4 – CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N/E:P/RL:U/RC:C### DETAILSThis vulnerability can be triggered by sending specially crafted D3DKMTEscape request to the Intel HD graphics driver.The faulting code is located in the Intel Graphics Kernel Mode Driver driver (igdkmd64 module):“`.text:00000000001BE910 loc_1BE910: ; CODE XREF: sub_1BE4F0+43Ej.text:00000000001BE910 mov edx, [rdi+rbx*4+4].text:00000000001BE914 mov rcx, rsi.text:00000000001BE917 call qword ptr [rsi+0C8h].text:00000000001BE91D mov rcx, rax.text:00000000001BE920 call qword ptr [rax+250h] * arbitrary code execution here*“`Instruction at 0x1BE920 tries to execute a memory location pointed by qword value located at @rax+0x250. In this case @rax value points to NULL (memory location at address 0).### CRASH INFORMATIONAdditional information from the crash dump:“`FOLLOWUP_IP: igdkmd64!hybDriverEntry+1485b0fffff801`61fd0920 ff9050020000 call qword ptr [rax+250h]SYMBOL_STACK_INDEX: 0SYMBOL_NAME: igdkmd64!hybDriverEntry+1485b0FOLLOWUP_NAME: MachineOwnerMODULE_NAME: igdkmd64IMAGE_NAME: igdkmd64.sysDEBUG_FLR_IMAGE_TIMESTAMP: 55c196beSTACK_COMMAND: .cxr 0xffffd00031747590 ; kbBUCKET_ID_FUNC_OFFSET: 1485b0FAILURE_BUCKET_ID: 0x3B_igdkmd64!hybDriverEntryBUCKET_ID: 0x3B_igdkmd64!hybDriverEntryANALYSIS_SOURCE: KMFAILURE_ID_HASH_STRING: km:0x3b_igdkmd64!hybdriverentryFAILURE_ID_HASH: {b388e4ef-f5cc-39ba-96af-1f55e1c7ae40}etAddr : Args to Child : Call Sitefffff801`61fb33b1 : ffffd000`31748320 ffffe001`00000003 ffffd000`317480c0 00000000`00000046 : igdkmd64!hybDriverEntry+0x1485b0fffff801`61ee4166 : ffffd000`31748320 00000025`000f003f ffffe001`7209e080 ffffc001`a13db100 : igdkmd64!hybDriverEntry+0x12b041fffff801`61edfa4a : ffffc001`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : igdkmd64!hybDriverEntry+0x5bdf6fffff801`61ed5b1f : 00000000`00000001 00000000`00000000 ffffc001`a5198900 00000000`00007fff : igdkmd64!hybDriverEntry+0x576dafffff801`61edc798 : ffff23ff`00000000 00000000`00000000 00000000`00000001 ffffc001`a5198940 : igdkmd64!hybDriverEntry+0x4d7affffff801`61ed51b5 : 00000000`00000000 00000000`00000204 ffffc001`a5198740 00000000`00000000 : igdkmd64!hybDriverEntry+0x54428fffff801`61e48613 : ffffd000`31748768 00000000`00000000 ffffe001`6dcd1000 ffffe001`6dcd1000 : igdkmd64!hybDriverEntry+0x4ce45fffff801`61e48507 : ffffe001`6ddc4140 ffffd000`31748ad0 ffffe001`6ddc4140 00000000`00000001 : igdkmd64+0x26613fffff801`60d1ea34 : ffffd000`31748768 ffffe001`6ddc4140 ffffd000`31748768 ffffe001`6ddc4140 : igdkmd64+0x26507fffff801`60ceffef : ffffe001`6ddc4140 ffffd000`31748b80 ffffc001`a51d9000 fffff800`00000000 : dxgkrnl!DXGADAPTER::DdiEscape+0x48fffff960`002c563b : ffffe001`6ddc4140 ffffe001`7209e080 00000000`7f5ac000 ffffe001`6ddc4140 : dxgkrnl!DxgkEscape+0x54ffffff800`ac5d41b3 : ffffe001`7209e080 00000000`7f5aa000 00000000`00e6fdb0 00000000`00000000 : win32k!NtGdiDdDDIEscape+0x5300000000`770574aa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x1300000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x770574aa“`### TIMELINE* 2016-03-07 – Vendor Notification* 2016-07-11 – Public Disclosure