October 27, 2016

Details of vulnerability in the Nvidia Display Driver Service removed by author

nvidia-logo(LiveHacking.Com) –  Freelance computer security consultant Peter Winter-Smith has posted details of a vulnerability in the Nvidia Display Driver Service that if exploited would allow an attacker to escalate their privileges to Administrator on a Windows machines. However once posted, Peter decided to remove the information saying “it has caused some trouble for a few friends of mine and I didn’t intend for that to happen.”

According to Kaspersky Lab, who saw the details of the vulneravility before they were removed, the Nvidia Display Driver Service (Nvvsvc.exe) is vulnerable to a stack buffer overflow that bypasses the data execution prevention (DEP) and address space layout randomization (ASLR) mechanisms used by Windows since Vista.

“The service listens on a named pipe (\pipe\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability,” Winter-Smith wrote on Pastebin before removing his own post. “The buffer overflow occurs as a result of a bad memmove operation.”

It is thought that the vulnerability is difficult to exploit remotely because it only applies to domain-based machine with relaxed firewall rules. For a local attack where the attacker already has access to the machine the vulnerability is easier to exploit.

“In the local scenario in which an attacker attempts to gain increased privileges on a machine they already have access to, it would be very easy,” Winter-Smith said. “It’s not incredibly serious (compared to—say–a browser exploit). If it were going to put people at risk I’d not have released exploit code and I’d have informed the vendor and kept quiet until a fix were issued.”

However since he has now removed the details about the vulnerability it can be assumed that the problem is much severer than he first thought.

NVIDIA fixes root privilege escalation in its Linux drivers

(LiveHacking.com) — Over a month ago an anonymous coder sent a small C program to Dave Airlie, who maintains the Direct Rendering Manager (DRM) subsystem in the Linux kernel, that allows an attacker to gain root access to a Linux machine by exploiting a vulnerability in NVIDIA’s Linux drivers.

The exploit works by using a vulnerability in the /dev/nvidiao device which allows the VGA window to be moved around until it can read and write to somewhere useful in physical RAM. Then the exploit performs a root privilege escalation by writing directly to kernel memory.

Over a month passed since information about the vulnerability was submitted to NVIDIA and the graphics company has not responded. As a result Airlie has made the exploit public.

“I was given this anonymously, it has been sent to nvidia over a month ago with no reply or advisory and the original author wishes to remain anonymous but would like to have the exploit published at this time, so I said I’d post it for them,” wrote Dave Airlie in a post to a security mailing list.

NVIDIA has now released version 304.32 of its drivers for Linux, FreeBSD and Solaris. The updated driver contains a hotfix to block access to the registers involved in this attack. At the same time NVIDIA has also blocked access to some other registers which it identified as being susceptible to a similar type of attack.

The 295.71 driver is available for download at the NVIDIA FTP site:

32-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86/295.71/
64-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86_64/295.71/

Solaris: ftp://download.nvidia.com/solaris/295.71/

32-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86/295.71/
64-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86_64/295.71/

The 304.32 driver is also available for download at the NVIDIA FTP site:

32-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86/304.32/
64-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86_64/304.32/

Solaris: ftp://download.nvidia.com/solaris/304.32/

32-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86/304.32/
64-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86_64/304.32/

Details about the updated driver and the patches are available at: http://nvidia.custhelp.com/app/answers/detail/a_id/3140