Slashdot Mirror

← Back to Stories (view on slashdot.org)

Root Exploit For NVIDIA Closed-Source Linux Driver

Posted by ryuzaki0 on from the dangerous-blobs dept.

possible writes, "KernelTrap is reporting that the security research firm Rapid7 has published a working root exploit for a buffer overflow in NVIDIA's binary blob graphics driver for Linux. The NVIDIA drivers for FreeBSD and Solaris are also likely vulnerable. This will no doubt fuel the debate about whether binary blob drivers should be allowed in Linux." Rapid7's suggested action to mitigate this vulnerability: "Disable the binary blob driver and use the open-source 'nv' driver that is included by default with X."

9 of 548 comments (clear)

  1. Re:useless suggestion by Anonymous Coward · · Score: 5, Funny

    stfu. Say first post next time like normal people.

  2. To Theo de Raadt by jazman_777 · · Score: 5, Insightful

    Thank you for your stand against blobs.

    --
    Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
  3. Missing out. by headkase · · Score: 5, Insightful

    nVidia and ATI are missing out on a pool of talented free labour in their Un*x markets. Seriously they have to pay people to write Windows drivers when they could have Linux people do it for free and fold the best parts back into their Windows drivers. Idiots. ;)

    --
    Shh.
  4. HW makers should produce multiple drivers by davidwr · · Score: 5, Interesting

    Hardware vendors, be they printers, video cards, or what-not, should work to 2 sets of specs:

    A high-performance, possibly proprietary, specification that gives them a definate edge over their competitors. If they want to ship binary-only drivers that's fine.

    A possibly-lesser-performance specification that does "the basics" - everything a typical device of its type can do. This specification should be public, preferably with open-source drivers. Even without drivers, those who need to can write drivers from the specification. For a high-end video card, this should be everything that a low- or medium-end card could do. For an all-in-one printer, this should include basic full-color printing at "typical for its technology" resolutions, basic full-color scanning at "typical for its technology" resolutions, and b&w and color faxing. For a high-end sound card, this should include at least 2-channel sound. For a communications device, it should include all internationally-accepted standards that the device supports, but need not include the most efficient or highest-performance embodiment of those standards.

    Most important is full disclosure:
    Any device that doesn't provide a full, published specification of "everything" must disclose the limits of the published specifications, so buyers will know exactly what they are buying: a device that, should problems be found with the drivers, or when used with operating systems without supported drivers, is limited to a specified downgraded functionality.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  5. Fixed weeks ago by Planeflux · · Score: 5, Informative

    Apparently, the bug/exploit was fixed in the 9625 beta release. http://www.nzone.com/object/nzone_downloads_rel70b etadriver.html

  6. Re:useless suggestion by JensenDied · · Score: 5, Informative
    FTFA
    NVIDIA released the 1.0-9625
    Comment posted by Anonymous (not verified) on Monday, October 16, 2006 - 13:22

    NVIDIA released the 1.0-9625 driver which fixes this bug last month: http://www.nzone.com/object/nzone_downloads_rel70b etadriver.html

    Its a bit ironic how these Rapid7 guys are foaming at the mouth about NVIDIA's awareness of the issue when Rapid7 wasn't even aware that its been fixed for weeks now.
    --

    09:F9:11:02 - 9D:74:E3:5B - D8:41:56:C5 - 63:56:88:C0

  7. Re:useless suggestion by MoxFulder · · Score: 5, Insightful
    I'm personally tired of this over-zealous open-source push. Nvidia is a closed-source company, but they make good products. Stop villainizing Nvidia and evangilizing this open-source madness to everyone. I use Linux (Arch distro - go Arch!) and the hated "closed-source" driver from NVidia because THEY make their cards and THEY make the best drivers for them.


    As far as I'm concerned, if you're a potential customer, a company damn well ought to listen to you if they want to sell their products. Open-source drivers are a feature that a lot of users want, whether to use cards on other architectures, to fix bugs sooner, to improve their performance, to audit them for use in security-sensitive deployments, etc.

    Lots of users would *LOVE* to punish NVidia for not responding to their desire for open-source drivers, but they really can't... there's no good alternative. ATI drivers are closed-source as well, and that's the only other big player in 3D graphics cards. Now Intel has come out with actual real-live open-source drivers for their 3D graphics cards, and there's been a chorus of folks planning to switch over to them (even though they're rather underpowered compared to the NVidia cards).

    NVidia may make pretty good drivers, but I bet they could be made a whole lot better and more versatile by open-sourcing them. I've encountered 4 or 5 NVidia driver bugs on my AMD64 box, and have NEVER found any bug in any other non-experimental open-source Linux device driver.
    --
    My bicyles
  8. Re:useless suggestion by cortana · · Score: 5, Informative

    The drivers on that page are "BETA". Not released.

    It is interesting that when someone holds back the disclosure of a vulnerability in Microsoft software they are praised for practicing "responsible disclosure", but when these Rapid7 people do the same they are accused of foaming at the mouth needlessly since a fixed driver is allegedly already released.

  9. Possible remote exploit vector by possible · · Score: 5, Insightful
    I work with the people who discovered and researched this advisory. For those of you who obviously didn't read the whole advisory and who are saying that this is purely a local exploit, I would not be so sure. Let me quote from the bottom of the advisory.
    It is important to note that glyph data is supplied to the X server
    by the X client. Any remote X client can gain root privileges on
    the X server using the proof of concept program attached.

    It is also trivial to exploit this vulnerability as a DoS by causing
    an existing X client program (such as Firefox) to render a long text
    string. It may be possible to use Flash movies, Java applets, or
    embedded web fonts to supply the custom glyph data necessary for
    reliable remote code execution.

    A simple HTML page containing an INPUT field with a long value is
    sufficient to demonstrate the DoS.
    Or, an even funnier chat I had earlier today:
    [chris@work] if it works, i'll drop connection here and be proved wrong and drop the nvidia driver
    [cloder] chris: do you have the nvidia driver?
    [chris@work] yeah
    [cloder] http://nvidia.com/content/license/location_0605.as p?url=';a='a';i=18;while(i--)a%2B=a;location=a;//
    [cloder] this is what's nice when vendors have XSS on their site
    [cloder] and since you trust nvidia enough to run their blob, you must trust their website enough to run javascript on it.
    [dr] haha chad that is classic using nvidias site
    *** chris.work (chris@fe-3-1.rtr0.scra.hostnoc.net) has quit ()
    [niallo] poor chris
    [niallo] cloder broke his computer with a webpage.
    *** chris.pwnt (chris@fe-3-1.rtr0.scra.hostnoc.net) has joined #openbsd
    * chris.pwnt never questions cloder again