Root Exploit For NVIDIA Closed-Source Linux Driver

possible writes, "KernelTrap is reporting that the security research firm Rapid7 has published a working root exploit for a buffer overflow in NVIDIA's binary blob graphics driver for Linux. The NVIDIA drivers for FreeBSD and Solaris are also likely vulnerable. This will no doubt fuel the debate about whether binary blob drivers should be allowed in Linux." Rapid7's suggested action to mitigate this vulnerability: "Disable the binary blob driver and use the open-source 'nv' driver that is included by default with X."

To Theo de Raadt

[jazman_777]

Thank you for your stand against blobs.

Missing out.

[headkase]

nVidia and ATI are missing out on a pool of talented free labour in their Un*x markets. Seriously they have to pay people to write Windows drivers when they could have Linux people do it for free and fold the best parts back into their Windows drivers. Idiots. ;)

Re:useless suggestion

[MoxFulder]

I'm personally tired of this over-zealous open-source push. Nvidia is a closed-source company, but they make good products. Stop villainizing Nvidia and evangilizing this open-source madness to everyone. I use Linux (Arch distro - go Arch!) and the hated "closed-source" driver from NVidia because THEY make their cards and THEY make the best drivers for them.

As far as I'm concerned, if you're a potential customer, a company damn well ought to listen to you if they want to sell their products. Open-source drivers are a feature that a lot of users want, whether to use cards on other architectures, to fix bugs sooner, to improve their performance, to audit them for use in security-sensitive deployments, etc.

Lots of users would *LOVE* to punish NVidia for not responding to their desire for open-source drivers, but they really can't... there's no good alternative. ATI drivers are closed-source as well, and that's the only other big player in 3D graphics cards. Now Intel has come out with actual real-live open-source drivers for their 3D graphics cards, and there's been a chorus of folks planning to switch over to them (even though they're rather underpowered compared to the NVidia cards).

NVidia may make pretty good drivers, but I bet they could be made a whole lot better and more versatile by open-sourcing them. I've encountered 4 or 5 NVidia driver bugs on my AMD64 box, and have NEVER found any bug in any other non-experimental open-source Linux device driver.

Possible remote exploit vector

[possible]

I work with the people who discovered and researched this advisory. For those of you who obviously didn't read the whole advisory and who are saying that this is purely a local exploit, I would not be so sure. Let me quote from the bottom of the advisory.

It is important to note that glyph data is supplied to the X server
by the X client. Any remote X client can gain root privileges on
the X server using the proof of concept program attached.

It is also trivial to exploit this vulnerability as a DoS by causing
an existing X client program (such as Firefox) to render a long text
string. It may be possible to use Flash movies, Java applets, or
embedded web fonts to supply the custom glyph data necessary for
reliable remote code execution.

A simple HTML page containing an INPUT field with a long value is
sufficient to demonstrate the DoS.

Or, an even funnier chat I had earlier today:

[chris@work] if it works, i'll drop connection here and be proved wrong and drop the nvidia driver
[cloder] chris: do you have the nvidia driver?
[chris@work] yeah
[cloder] http://nvidia.com/content/license/location_0605.as p?url=';a='a';i=18;while(i--)a%2B=a;location=a;//
[cloder] this is what's nice when vendors have XSS on their site
[cloder] and since you trust nvidia enough to run their blob, you must trust their website enough to run javascript on it.
[dr] haha chad that is classic using nvidias site
*** chris.work (chris@fe-3-1.rtr0.scra.hostnoc.net) has quit ()
[niallo] poor chris
[niallo] cloder broke his computer with a webpage.
*** chris.pwnt (chris@fe-3-1.rtr0.scra.hostnoc.net) has joined #openbsd
* chris.pwnt never questions cloder again