Slashdot Mirror
Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole
An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public."
The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.
Use Windows and you don't get linux malware. True story, mod +5 true accordingly.
Shouldn't the VGA window be a window into the video memory, or at least configuration registers?
With all the recent controversy and Linus and other members of the FOSS community flipping Nvidia the bird over the issue of keeping their driver closed, they're certainly going to take this news and run with it.
/* No Comment */
I'd like to say that this would not have happened with an open source driver, but that's not necessarily true. It would almost definitely have been patched by now though.
Maybe people need to stop being apologists for this kind of thing...
Companies don't just hand out the email address for the head of their SW development division; maybe if they did we could them let the right people know. I emailed a random Joe when I found an issue with a site, and it got escalated up and it got fixed.
Maybe if Nvidia had better quality random Joe's, when this sort of stuff did pass by them it would get escalated and not deleted.
Nvidia are just serial fuckups. Wasted half my saturday trying to find a driver release that would work on my wifes Kubuntu 11 PC. Eventually gave in and upgraded to 12.04 instead of manually erasing the broken install yet again... to find another fscking broken driver and no X. These idiots are completely incompetent and simply don't respond to error reports or much of anything else from ordinary users.
Nvidia, still haven't forgotten all the accelerated functions in your chipsets that gradually got turned of as drivers updated, because the hardware was rotten to the core and couldn't be made to work. Or the ongoing multi year saga of begging for working PAL TV support, all of it falling on deaf ears. Or the magically vanished TV out support when Vista shipped.
Frankly a root exploit is one of their lesser sins.
It's certainly legit..
c@v:~$ ... ... ./nvid-root
c@v:~$ wget http://cache.gmane.org//gmane/comp/security/full-disclosure/86747-001.bin
2012-08-01 12:46:13 (60.8 KB/s) - `86747-001.bin' saved [18225/18225]
c@v:~$ mv 86747-001.bin nvid-root.c
c@v:~$ gcc nvid-root.c -o nvid-root
c@v:~$
[*] IDT offset at 0xc1808000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 32-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xc18086e0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
[*] Have root, will travel..
sh-4.2#
sh-4.2#
sh-4.2# id
uid=0(root) gid=0(root) groups=0(root),4(adm),6(disk),20(dialout),24(cdrom),29(audio),44(video),46(plugdev),104(fuse),105(lpadmin),115(admin),116(sambashare),119(pulse-access),1000(chad)
sh-4.2#
sh-4.2# lsb_release -a
LSB Version: core-2.0-ia32:core-2.0-noarch:core-3.0-ia32:core-3.0-noarch:core-3.1-ia32:core-3.1-noarch:core-3.2-ia32:core-3.2-noarch:core-4.0-ia32:core-4.0-noarch
Distributor ID: Ubuntu
Description: Ubuntu 12.04 LTS
Release: 12.04
Codename: precise
sh-4.2# uname -a
Linux vero 3.2.0-24-generic-pae #39-Ubuntu SMP Mon May 21 18:54:21 UTC 2012 i686 i686 i386 GNU/Linux
sh-4.2#
Yeah you don't get more flimsy evidence than a working exploit.
If you're not surprised then I hope it's because you expect Nvidia to be shite. Microsoft, as policy (though possibly not practice), fully evaluates any possible security exploits submitted because they assume that among the cranks who've already broken through the airlock there might be a real security exploit. This is expensive but necessary. If Nvidia can't do the same then I'll have to seriously consider my choices next time I'm buying a card.
Good thing all the outside the box type virus writers are busy writing malware for Macs so they don't have time to focus on Linux lol.
/steps on the soap box. Heh, Microsoft the one with the most security holes of the bunch and you are throwing these statements around? They have holes from years ago that they haven't fixed and just come back with the "upgrade your OS" line of B.S. And UAC is supposed to make Windows Vista/7 secure, that is a joke.
I fully understand that it takes a while for companies to stamp out bugs but I think companies have become far too lax on their bug squashing. The people that buy their products become their beta testers and this to me is just wrong. I do software testing and I know from 20 yrs of testing that companies will downgrade bugs even if they are considered critical by the testers just to get a product out the door on time. They will then try to minimize the damage until they can put out the next version with a hopeful fix in them.
I think we need to make some of these companies responsible for their horrible code and lack of testing. /steps off the soap box
Not too long ago Intel had a firmware exploit in their processors.
I still appreciate the effort Nvidia's made to support their cards on OSes such as linux and BSD over the years. I'll still only EVER buy nvidia cards because of their driver support.
Here's hoping they keep trucking along at it, even with what Linus' said and now this.
PS: I don't reply to ACs.
obligatory http://www.youtube.com/watch?v=_36yNWw_07g
You mean six years ago they also had a vulnerability? In the modern world we live, that sounds like a ringing fucking endorsement. With companies like Microsoft, you need only say something like, "last Tuesday." Doesn't sound like a bad track record to me.
"privilege escalation hole" sounds like something after "friends with benefits". Just saying.
They have security vulnerabilities fairly regularly. Ones that are remotely exploitable are rarer, but the cited one from the grandparent was first known in 2004, not fixed until 2006, and allowed someone to anyone who could make you display an image (e.g. in a web page) run arbitrary code in your kernel. It gets cited a lot because it's a perfect case study in stunningly incompetent security.
I am TheRaven on Soylent News
It needs a local execution method (either another exploit or a tricked user) and access to /dev/nvidia0.
So, for example, even if you exploit a web service to execute this on a suitable machine, you still won't get anything as long as web service's user doesn't have permissions on /dev/nvidia0.
Worst of all, it still needs downloading and compiling sources. WTF, Linux? When are we going to get all the software available prepackaged and regularly updated from the repository? Other OSes handle it well, no need for "wget && patch && gcc" to get this working, no need for sudo and sometimes even no need for any actions from user AT ALL, simply visit a page and it just works!
Especially if you're referring to a Pinto.
Or better yet: nVidia could actually make their driver open source. That way, we'll have all the bells and whistles, and when a security flaw gets known the community can patch it without nVidia's involvement.
I didn't say Windows was perfect, just that if you send a (crank) security exploit to Microsoft they review it. They may not fix it. They may say the best that you can do is upgrade, but they know whether or not it's a real hole. (At least, that's the policy.)
X11 has NEVER been secure its ridiculous to try and point the finger at Nvidia and this is why they have not cared for a month. Its a favorite interview question I use on *NIX applicants- "So tell me, how do you secure X11?". Usually this question gets some laughs and a nice way to break the ice. Seriously though, what is the alternative here? The Ford Escape catches on fire but would you turn down a Ford GT? Probably not and the same goes for graphics acceleration- are you going to turn down that fire-breathing graphics card in your hot little hands? Probably not. If someone gets into your X11 box at that level there is a problem with your network not the Linux box.
The graphics driver is both monstrously large and operates at a very low level, there are going to be tons and tons of security problems with it when people start seriously looking at it. As John Carmak put it: I agree with Microsoft’s assessment that WebGL is a severe security risk. The gfx driver culture is not the culture of security.
I read the internet for the articles.
At normal software companies this would probably go through a process like:
1) Confirmation of the problem
2) Determine severity
3) Assign a release to fix it by
4) Have someone fix it
5) Verify the fix
6) Ship it with the next release
In addition, one may want to look around for related problems and fix those too. Since it is a security issue, I would hope that a fix makes it into the next driver release AFTER the one that is in process. Or perhaps hurried into the one that is in process if it won't delay too long. I don't think a month is really that long for a company that size to go without a fix. Upon reading the summary I honestly thought the last word was going to be "year" not "month", in which case a fix would be long overdue.
I'd like to say that this would not have happened with an open source driver, but that's not necessarily true. It would almost definitely have been patched by now though.
Sure, it's be patched, and you could probably apply the patch locally, but it wouldn't be in the official repository yet. And then you get to wait for the review process, where someone tells you how they would have done it differently, if they only had the time or the interest, but since you didn't do it that way, you need to rewrite your patch. This is pretty much true of most Open Source communities, which tend not to take rough consensus and working code, and then clean up the cosmetic stuff later.
Then you get to wait for it to move from "development" to "beta" to "stable" before it actually makes it into an official release version. In most Open Source communities, this whole thing can take months.
In general, I'd have to say Open Source doesn't win over closed in this case, and I say that as a long time Open Source person.
If people keep insisting on abusing their watered down idiot's distro, then crying when it doesn't work. We're going to keep telling them to use the right tool for the job!
“Common sense is not so common.” — Voltaire
TwinView doesn't work in nouveau
There's plenty of horsepower on the card
Platform-agnostic api, super-duper-thin wrapper libaries
It also solves all the whinging about binary blobs
So you're going to foot the legal bills for auditing all the source for copyrights and patents, plus pay for all the costs associated with rewriting any and all licensed code that won't allowed to be open sourced, and finally finance all the extra work needed to make it into mainline? You realize it's not as simple for NVIDIA as creating a public git repo and uploading the source code, right?
Perhaps not entirely coincidentally, "one month" is about the amount of time that nVidia's web forum - comically also the only route for reporting bugs, and found here - has been shut down due to a DDoS attack.
Probably not the best way to follow up their snippy response to Linus Torvald bashing their Linux support.
Amen! I had a hell of a time trying to report a bug in the ATI driver as well. And how do you report a bug to netflix? All company web front pages should have big button that says "report bug". People are out here doing free QA for them and they aren't taking advantage. Plus I actually get pissed when I cannot report a bug. And I know I am not alone here, so it is bad PR.
Yeah, one month can be pretty short notice to actually fix, test, and release some more complicated bugs. But in this cas,e Nvidia never even responded to people who notified them of the exploit. If I reported a security hole and they acknowledged it and let me know the were working on fixing it, then I would give them far more than a month to fix it. But if they just ignored me, then I'd release it after a month too.
There has been a mysterious bug causing total system freezes for many thousands of Mint users. A lot were attributed to Muffin/Cinnamon and allegedly solved for those particular users, but many others (like me, using Mate) seem to be graphics related and they persist. After updating to kernel 3.3.6 from 3.2.6, the issue seemed to go away. But after upgrading to 3.4.6-generic, it seems it may be back. The only thing close to a consensus is that it is graphics related. Many report that disabling nvidia drivers solves the issue, but my intel is affected too. I am not savvy enough to know, but whatever the hell is going on, it's pretty bad. Having your system completely crash every other hour is a genuinely terrible bug, or suite of them.
Forward! -- Emperor Norton, 2012
Don't have a problem with ubuntu in general, but migration to 12.04 is kinda sucky.
I prefer to keep my homedir in a seperate partition for upgrades like this. That way I can add the new OS on another partition, install, and see how scary the update is...
There is a good broker service for this. Tipping Point's Zero day initiative. Register, submit your vulnerability, they research it, contact the vendor, and pay you for your 0day finding.
Take off every 'sig' !!