Nvidia Display Driver Service Attack Escalates Privileges On Windows Machines

L3sPau1 writes "A zero-day exploit has been found in the Nvidia Display Driver Service on Windows machines. An attacker with local access can use the exploit to gain root privileges on a Windows machine. Windows domains with relaxed firewall rules or file sharing enabled can also pull off the exploit, which was posted to Pastebin by researcher Peter Winter-Smith."

Easy solution

[Synerg1y]

Use Omega drivers, I stopped using Nvidia drivers about the time they started putting an Nvidia windows user on my systems for "gathering performance data".

Re:Easy solution

If they have "local access" hey can pretty much do what anyway

Re:Easy solution

[k_187]

You mean the nVidia Omega drivers based on a version from 2007? Or the ones that the creator said a year ago he'd no longer be able to support?

Re:Easy solution

If you think the omega drivers aren't from Nvidia I have a bridge to sell you.

Re:Easy solution

[Synerg1y]

They're based on nvidia drivers, just like linux is based off of unix to a lesser extent, however what I appreciate the most about them is the installer isn't nearly as invasive, pretty sure it installs that extra user with just the drivers from the OEM, regardless of whether you choose to install the console or not. They used to serve a more important purpose and that's providing stable drivers the many times nvidia fell short.

Re:Easy solution

Wrong.... They took the results of a bog standard nvidia install and repackaged it inside their own installer. The omega "drivers" could be distributed as a perl script that applies the same modifications to the registry and removal of certain nvidia files. He has no programming experience and no access to source code, so stability improvements would beggar belief. The actual driver is binary/checksum identical, and out-of-date. So not at all like unix vs linux. More like an offline install CD vs. a web installer for the exact same version of the exact same linux distribution, only someone added in some settings files suitable for their own PC...

Re:Easy solution

[LordLimecat]

The guy who created them had neither the time nor the expertise to "develop" new drivers. He repackaged the bog-standard drivers and tweaked some settings, including opening up an already existing but hidden overclocking GUI.

If this guy was able to develop his own drivers from scratch, I have a feeling the Nouveau guys would be reaching out to him for information.

Re:Easy solution

[Desler]

The drivers are tweaked versions of those officially released by ATI and nVidia, mainly using registry tweaks and offering an alternative installer. They are not custom drivers compiled from source code.

From here.

So your comparison between Unix and Linux is quite laughably wrong. The Omega drivers are just the official drivers packaged with registry tweaks and an alternate installer. Nothing more.

Re:Easy solution

[Synerg1y]

You're 100% correct about the source code, he never had access, however he did package the modded driver into its own installer and omega is considered a 3rd party driver. Don't underestimate the registry either, all the driver settings / a lot of the config are stored there. Some of these tweaks led to increased stability in the past. I'd have to agree they're out of date, but a lot of the cards it supports aren't getting new drivers / improvements from nvidia anytime soon either. I thought I'd just throw this out there for those looking for something else to try, especially with all the invasiveness of newer nvidia drivers.

Re:Easy solution

Or just disable the Nvidia service altogether. I've been doing that for years because it is an unnecessary service.

Re:Easy solution

[masternerdguy]

Are you kidding? All the guy did was disable registry entries that locked you from doing dumb crap like overclocking an integrated chipset. He also removed the stuff that makes sure that your device is actually supported by the driver, so the omega drivers are basically the spray and pray version of hardware support.

Re:Easy solution

And I suppose you write your own drivers? LOL

I'm to lazy to reg hack and discover what obfuscated settings and code do.

Therefore I used omega drivers on a laptop when nvidia had a few shitty bugs. It worked around by disabling some unnoticable features or compatability settings and I played games just fine.

Without them, I would have been shit up a creak without a paddle. What the guy did is not rocket science or spectacular. But the best sysadmins all share their bats, bash scripts and tricks, or borrow others and hack them to suite their needs. Qmail was (is?) great in this regard.

Re:Easy solution

It has a way of starting itself back up everytime drivers are updated.

Re:Easy solution

Do you also install codec packs?

Re:Easy solution

Which is how often? My display driver is stable, why would I fix what isn't broken?

You call that "editing?"

[CanHasDIY]

Here, Timmy, let me do your job for you:

A zero-day exploit has been found in the Nvidia Display Driver Service on Windows machines. An attacker with local access can use the exploit to gain root privileges on a Windows machine. Windows domains with relaxed firewall rules or file sharing enabled can also pull off the exploit, which was posted to Pastebin by researcher Peter Winter-Smith.

Granted, I've seen worse, but c'mon, man, you're getting paid for this shit.

Pay attention.

Re:You call that "editing?"

[girlinatrainingbra]

re Granted, I've seen worse
.
Actually, this is even worse than you think. Take a look at the original submission in which I commented hours ago: http://slashdot.org/firehose.pl?op=view&id=41570609

Note that the original submission (not by me but by "wiredmonkey") has a longer explanation and two copies of a link to the securityweek article in it. The security week article has the link to the Nvidia customer help site with the repaired/fixed driver blob in it. Timothy is somehow getting someone to copy prior submissions and actively take out the useful stuff before posting it to the front page! J'accuse! (finger pointing accusitorily)

Re:You call that "editing?"

[Jeng]

That may actually prove to be a good tactic to get them to do better.

In the past most people just call them names, actually posting a corrected version of the submission shows the "editors" what they need to be doing.

Personally bad grammar doesn't faze me, but for the grammar nazis out there this is better than just calling the editors names.

Re:You call that "editing?"

[h4rr4r]

When were the trolls banished?

Make a damn name and stop tagging AC posts.

Re:You call that "editing?"

[l0ungeb0y]

On Slashdot the "Editing" job duties consist solely of hitting the "approve" button on selected story submissions.

Re:You call that "editing?"

I see no evidence of a patch for this exploit yet - the Security Week article seems to link to the patch for the Linux exploit announced months ago, not the Windows exploit announced on 12/25. Or am I missing something?

Re:You call that "editing?"

[CanHasDIY]

As a grammar nazi (who, admittedly, commits apostrophe abuse on a regular basis), I tend to agree.

As a person who understands human nature fairly well, I completely agree - the old adage, 'you catch more flies with honey than with vinegar,' rings true in more ways than one. Insults only serve to cause the one being insulted to close up mentally, thus making it impossible to educate them to their mistakes after that point.

Anyone interested in the most effective ways to encourage certain behavior (without necessarily agitating the subject to the point of non-compliance) would do well to read the book Nudge: Improving Decisions About Health, Wealth, and Happiness by Richard Thaler.

Good stuff.

Re:You call that "editing?"

Unfortunately after they Nudge you they then start to push you and when push comes to shove.....

Re:You call that "editing?"

No it doesn't. I've had a submission accepted for the front page. The editor replaced the links I had (to Ars Technica) with some lame write up on a blog - apparently due to an advertising arrangement?? He also butchered the text from my correct wording to something, well, less correct.

Re:You call that "editing?"

[Zontar+The+Mindless]

He already has one.

Re:You call that "editing?"

[1s44c]

I'm pretty sure that's system privileges, not root privileges.

Re:You call that "editing?"

[1s44c]

Ever since the Negroes and liberals took over this site and America, it has gone to shit. Why do the socialists hate this country?

-- Ethanol-fueled

Abducting people from the streets of Europe in violation of the laws of the countries they were abducted from, using tourture on these people, and refusing these people a fair trial did a great amount of harm to the image of your country.

But if you mean by 'gone to shit' that the money has run out, well that's what you get if you are constantly at war. Wars cost a lot of money.

Re:You call that "editing?"

They were banished when you faggots started taking well-made humerous trolls and downmodded them without a second thought. Then most of you faggots don't see the humor and demand they stop.

Also, the delete link on posts that showed up when I printed a page of comments from Firefox one time. That no longer shows up. But that the "editors" have the ability to so easily delete posts goes right along with what Ethanol-fueled said. Just like the flags. Which I already spam with complaints.

Re:You call that "editing?"

You pull the same shit posting as ac fuckhead http://slashdot.org/comments.pl?sid=3344029&cid=42408983 and you admit to it even when you have an registered account here. Busted.

Re:You call that "editing?"

[Zontar+The+Mindless]

That bears absolutely no resemblance to going round posting trolls as AC and tagging them with one's username as you and Ethanol-fuelled are wont to do.

Root privileges on Windows?

Bad link?
Missing "to".

Oh, timothy...

root access

isn't the term root reserved for linux machines, isn't it called admin for windows?

Re:root access

Not really. "Root" has stronger connotations on windows.

Re:root access

Not really, it is just a term used for the top level system access. Sometimes called admin or superuser, root is just the standard name used for unix. In windows now especially it is probably better to refer to root or system level access as even admin accounts "can" have certain restrictions applied to them.

Re:root access

[DragonTHC]

has to do with security rings. They mean ring 0.

Re:root access

[ais523]

Windows actually has two root-like permission levels, "administrator", and "SYSTEM" (which is higher and cannot be given to normal accounts). It might be interesting to know which the attack allows escalation to (although I think an attacker could do anything they cared about with only administrator-level permissions, they'd just have to do it a little indirectly).

Re:root access

[Bengie]

Ring 0 has to do with Kernel level, not user permissions.

"root" is like being an all-powerful dictator, Ring 0 is like being god and controlling the fabric of the Universe itself.

Re:root access

[LordLimecat]

A user with admin privileges can gain system level access.

Re:root access

[LordLimecat]

Once you get admin, you could trivially install a service with system-level access to elevate yourself further. This was easily done on XP, where you could set cmd.exe to run as an interactive service, which when started presented you with a System-level command prompt.

It can be done on Windows 7 as well, though I believe you can no longer just do it with cmd.exe.

Re:root access

[VGPowerlord]

On XP, root and SYSTEM are functionally identical. It wasn't until Vista introduced UAC that they became different (because Administrator is subject to UAC, but SYSTEM isn't).

Re:root access

[dissy]

Grab psexec.exe from sysinternals, and as local admin simply run: psexec -i -s cmd.exe
You now have a command prompt window running as system cwd'd to the system32 dir.

Most windows domains will have psexec laying around somewhere anyways, or at least on servers. Easiest way to mass push remote commands to the workstations as domain admin.

Re:root access

[LordLimecat]

Thats not correct; there are certain times I ran into "access denied" attempting to kill some task (ie, some virus scanner process) as admin, while the same operation succeeded once I elevated to SYSTEM and killed the process there.

Security aside there were other differences, such as local environment obviously.

Re:root access

[Bryansix]

So you like Linux because Windows does its permissions levels EXACTLY THE SAME WAY? I'm confused.

Re:root access

[Bryansix]

Easiest? No. Anything in a command line is not "easy". It is fully functional? Yes. However I would rather choose a script from a drop down menu, select the comps from the left and drag to the right, choose a time, and hit "run". I can do this with N-Central. You just have to pay for that solution.

Re:root access

[theArtificial]

Anything in a command line is not "easy".

Nice absolute. Not all command lines are created equal, look at the abortion that is PowerShell but at least Windows has ls. Off of the top top of my head: how about copying files in a directory, let's say files/photos/resumes/songs/logs organized by first and last name delimited with a space, and you want all of the Bs. It's clumsy at best with the GUI. How about renaming all of them to replace the spaces with an underscore? Its not like anyone manages music collections... with specific regard to admin tasks, command line is a heck of a lot easier (admin level prompt, type command(s)) than navigating to the desired tool, loading it up, navigating the wizard/menus, selecting tasks (repeating).

You just have to pay for that solution.

The proposed solution doesn't sound easier in comparison. First you need to go to a website, then buy something, (possibly)download it, install/deploy it, (possibly)configure it, create/customize the scripts, test it and finally do it. How is that easier than typing something? It's an immense benefit to become familiar with tools one uses daily, especially when you're charging for your time. Good engineering revolves around efficiency, less moving parts means less potential to go wrong. In addition now your credentials are available in multiple places. Call me old fashioned but requiring people to know what they're doing without depending upon 3rd party software to do their job shouldn't be considered 'hard' but something that comes with the territory.

Barring physical disabilities, do you not use Google because typing things is hard?

Re:root access

[dissy]

However I would rather choose a script from a drop down menu, select the comps from the left and drag to the right, choose a time, and hit "run". I can do this with N-Central. You just have to pay for that solution.

I'll stick with my psexec, bat, and tcl scripts. I'd much rather just double click a single icon and have the script figure out what hosts need the action performed on and simply do it all for me.

But to each their own :}

Re:root access

Easiest? No. Anything in a command line is not "easy".

Don't use that line during a job interview. Leave your badge at the door.

Re:root access

No, you can name accounts whatever you want and assign them whatever permissions you want. On both systems.

The fact your post was modded as "informative" just goes to show how clueless the current readership on slashdot is.

Re:root access

[Bryansix]

Wow. You totally missed the point. Of course you have to download, deploy and support N-Central but if you think all it does is make schedule scripts then you are sorely mistaken. Funny you mention google. Maybe you could type N-Central into google and educate yourself.

Re:root access

[Bryansix]

Oh, well N-Central does that too because we've combined it with Ninite so it can figure out if a third party app is updated or not and installed it. That's just one example.

Re:root access

[Bryansix]

Haha. People are stuck in the past.

Re:root access

[dissy]

On a side note, I actually did google for N-center after you mentioned it (I've never heard of it before, and am always looking for new tools to help make running windows less painful)

The first thought I had was, this program has literally nothing to do with what myself or ais523 were speaking of in this thread - specifically relating to the administrator and system accounts in windows, or how to gain access to the system account.
N-Central doesn't appear to operate at a level above administrator...

For being completely off topic I have to wonder why you're pushing that software so hard, on top of the flexibility and capability we would lose from changing our work procedures around how n-central wants to do things.

Personally, whenever a tool forces me to do things its way instead of the tool doing what I need, it has to bring some pretty serious advantages to the table before such a disruption will even be considered.

Unfortunately their websites main/front page doesn't describe the technical details too well. Lots of buzzwords. It may be "so much more" as you claim, but it looks like a fairly steep learning curve just to deploy it and get things back to our current capabilities, let alone be at the point to avail myself of any other advantages.

The main feature, a GUI for drag-and-dropping blocks that are it's commands, wouldn't be very useful to me as I already know the commands.

But as I said before, I'll stick to the tools I don't need a reference to use, and you should feel free to do the same.

Re:root access

[theArtificial]

Maybe you could type N-Central into google and educate yourself.

Do you have a N-Central GUI recommendation for creating the query?

Re:#WindowsRage

[etash]

are you aware of any OS that does not suffer by privilege escalation exploits ? if so, be a dear and share it with the rest of us.

Hurray for closed source

Let's see how fast this one is either fixed or spinned into "it's a feature, really, don't worry about it".

Closed source - it's like open source, but to only those that can read assembly.

oh nohz!

let the bitcoin farming begin! lol.

Re:oh nohz!

farming? I'd much rather pillage than farm.

Re:oh nohz!

farming? I'd much rather pillage than farm.

Yeah, that's what the Vikings thought too. Didn't work out so well for them.

Re:#WindowsRage

[gman003]

MS-DOS.

You kind of need "privileges" in order to have privilege escalation.

NVIDIA privilege escalation exploit

[girlinatrainingbra]

The article says enables an attacker to install a user on the target system, completely bypassing MicrosoftÃ(TM)s Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protections

I'm wondering if such a pipe system is used (or such a service is enabled) on the NVIDIA binary driver blob for the Linux kernel. Could that be another possible attack vector, or is that not possible with this?
.
NVIDIA for unix/Linux had another vulnerability earlier this year pointed out in the article at also at Nvidia's own customer web site http://nvidia.custhelp.com/app/answers/detail/a_id/3140 custhelp.com site for nvidia which showed that using VGA access to RAM allows indiscriminate access to RAM and possible escalation of user privileges with this memory access. Here's the comment from Dave Airlie at the email archive on seclists.org:

It basically abuses the fact that the /dev/nvidia0 device accept changes to the VGA window and moves the window around until it can read/write to somewhere useful in physical RAM, then it just does an priv escalation by writing directly to kernel memory.

Notice how with binary blobs how end-users are screwed and dependent upon the provider of the blob to fix things. Nvidia didn't do anything until after public disclosure of the bug, even though they were notified of the exploit more than three months earlier.

Re:NVIDIA privilege escalation exploit

Notice how with C code how end-users are screwed and dependent upon the provider of the C code to fix things. Nvidia didn't do anything until after public disclosure of the bug, even though they were notified of the exploit more than three months earlier.

Protip: 99.999% of NVidia driver end-users either do not know C or are not willing to patch or use a one-off modified OS driver, or had privileges to install said driver in the first place and simply have no reason to care...

Re:NVIDIA privilege escalation exploit

[Trelane]

Protip: 99.999% of car drivers either do not know how to change their oil or are not willing to learn how and simply have no reason to care. That's why we all take our cars to the original dealer.

Re:NVIDIA privilege escalation exploit

girlinatrainingbra:

...[W]ith binary blobs ... end-users are screwed and dependent upon the provider of the blob to fix things.

True.

You:

...[W]ith C code ... end-users are screwed and dependent upon the provider of the C code to fix things.

False.

So what was your point, exactly? Or was there one, other than to try to look clever?

Re:NVIDIA privilege escalation exploit

[Zontar+The+Mindless]

Hm, dunno how that got posted AC, but it was me.

Re:#WindowsRage

I know reading 101 is a fail for most /. users, but for fucks sake even the summary points out it is an NVidia exploit. Or do you somehow think Linux would be magically immune to a kernel level exploit in NVidia drivers?

Re:#WindowsRage

[etash]

yay! i'm upgrading to ms-dos right now!

Even easier solution....

Store confidential data on a cloud server that does not use nvidia - now it's okay if your PC is hacked. If your computer gets used as a bot, sue nvidia and profit.

Re:Even easier solution....

BRO, dont ever, ever, ever get a job in infosec.

Re:Even easier solution....

[1s44c]

BRO, dont ever, ever, ever get a job in infosec.

With the rash of companies losing all their data in recent years I think he already has.

severs are starting to use GPS for CPU tasks

[Joe_Dragon]

severs are starting to use GPS for CPU tasks

Re:severs are starting to use GPS for CPU tasks

Apparently, GPS offers more than location and time services. Unfortunately, I think GPS satellites are too high up to be considered "in the cloud." Maybe it's time for a new catchy phrase for them? Cloud 2.0? Or, better yet, Void. "I do all of my computing in the Void" has a nice ring to it.

It never dawned on me until just now, but with all of the added computing required of the GPS satellites, no wonder Apple Maps is having so many problems!

Re:severs are starting to use GPS for CPU tasks

They've hacked the GPS satellites? I didn't think they had that much computing g power, and the latency would be terrible.

Stop talking

If it were going to put people at risk I'd not have released exploit code and I'd have informed the vendor and kept quiet until a fix were issued.

Just when you were scoring high marks, you had to keep flapping your jaws. Vendors (especially NVidia) do not traditionally respond to polite suggestions regarding their buggy code -- you would have eventually been forced to go public, and the vulnerability would have gone that much longer unaddressed. People with insecure systems that would otherwise be none-the-wiser can now take steps to protect themselves until a patch can be developed. There is no reason to sit on this, even if it were easier to exploit, being that it's a non-essential, third-party service that is easily disabled by even a novice user... going public was and would be the most prudent course of action.

Re:#WindowsRage

Linux Nvidia drivers don't open an SMB named pipe (which, for added bonus can be used for remote attacks from same domain), so this one exploit is pretty much Windows specific. And yeah, you just proved your point.

Re:#WindowsRage

[etash]

so because nvidia software opens a pipe, it's windows fault. well done descartes!

Disable nvsvc32

I believe there's no need to have the vulnerable nvsvc32.exe service running. It might break the NVIDIA control panel, but the driver should function properly with that service turned off. You could do that until a fixed version is available. The actual driver is named nvlddmkm.sys.

Re:Disable nvsvc32

[Quietust]

I just tried disabling nvsvc32, but I discovered that it doesn't exist on my system - the NVIDIA Display Driver Service is named "nvvsvc.exe" (and the Update Service Daemon is "daemonu.exe"), and while I did find an "nvsvc64.dll", I could not find a single file named "nvsvc32.exe" anywhere on my system.

Is this something that only exists in the 32-bit drivers (I'm running Win7 x64), or is it something that disappeared in the 310.70 drivers released last week?

Re:Disable nvsvc32

[Krneki]

Or just use a firewall / router to block access to your PC from the outside. And if you don't do this already you are a zombie (botnet).

But I do agree with you, the extra features available through the service are most of the time not needed and I have no idea why they insist on forcing us to have this crap running in the background.

Re:#WindowsRage

Clearly a windows specific problem.

THIS COULD NEVER HAPPEN ON LINUX.... except that one time when it did.

http://www.zdnet.com/privilege-escalation-security-hole-found-in-nvidia-linux-driver-7000001986/

Re:#WindowsRage

a linux privesc exploit using the nvidia driver came out months ago.

Re:#WindowsRage

[AndyKron]

Interestingly, I found my last surviving copy of DOS just the other day. I was planing on firing up the Tandy 1500 laptop to see if it still worked.

Mod him up, someone

Was running with this service disabled for a long time and didn't notice any ill effects except for missing NV Control panel - switching it to Manual or Automatic makes it work again.

Services.msc management console calls it "NVidia Display Driver Service". Just try stopping it first, if you're doubting an AC's word, and check how everything runs for you, then switch it to Disabled.

Re:Mod him up, someone

[Ash+Vince]

Was running with this service disabled for a long time and didn't notice any ill effects except for missing NV Control panel - switching it to Manual or Automatic makes it work again.

Services.msc management console calls it "NVidia Display Driver Service". Just try stopping it first, if you're doubting an AC's word, and check how everything runs for you, then switch it to Disabled.

Just to second this from a real slashdot user :)

I disabled this as it was taking up valuable CPU time on my old gaming laptop. I never saw any ill effects at all. I am sure it must have some purpose but I never figured out what it was disabling it stopped me doing and I ran my PC like that for years.

Re:Mod him up, someone

[Bearhouse]

Indeed. Goes for any of these 'enhanced' shitware progs. Just install the basic drivers and in my experience, (all windows from XP) up, through all cards, everything works fine. Of course, they sometimes make it really hard to just install the drivers - i wonder why?

Re:Mod him up, someone

It's basically the service that passes the preferences you'd set in the nVidia control panel to the driver when you're using 3d apps. I presume that if it's disabled, the driver just defaults to performance settings, instead of the normal 'quality' settings.

Re:Mod him up, someone

[Lashat]

I wish NVIDIA distriubted a driver that could be installed via the .inf file using the Windows Control Panel.

Wouldn't this solve the problem.

Re:Mod him up, someone

[Anachragnome]

"Indeed"

Win7 64-bit here.

Since I switched over to Win7 from XP, I've gotten into the habit of letting Windows find the drivers for everything when setting up a new machine. Just plug all that shit in and see what happens--9 times out of ten Windows nails it and the device simply works. My wife has this elderly HP All-in-One Printer/scanner that comes with a massive package of software, all of which installs with the drivers if I use the provided install disk. I ended up with numerous services running that were almost never used.

Last night I set up a brand new computer for her and simply plugged the thing in, letting Win7 check the MS servers for drivers--even though the thing is elderly MS found drivers for every aspect of the device (5 in total). It works perfect and there is no crap on the machine now. Nothing but print-spooler running. This also saved me about 10 mins installation time, and that was only one device.The nice thing about this? If MS keeps up with drivers like this, old devices from Goodwill stores and the like can be used even if the driver disk is nowhere to be found--MS has in effect become a clearing house of drivers that work.

Even the driver for my video card that Win7 found was only one version older then the latest one available at the manufacturers website (Perhaps MS stays clear of the newest ones until the bugs are worked out, after all, the only reason they provide the driver location service is to get people to stop blaming THEM when their hardware doesn't work--Vista was a learning experience for MS, apparently).
 

Re:Mod him up, someone

[Khyber]

"Even the driver for my video card that Win7 found was only one version older then the latest one available at the manufacturers website (Perhaps MS stays clear of the newest ones until the bugs are worked out,"

No, the latest drivers hadn't passed WDDM certification.

Re:Mod him up, someone

It's to change driver settings as/when apps are ran. A lot of games depend on awful hacks to work, that service applies awful hacks on the fly.

For example, Quake 3 Arena can't handle over-5000 OpenGL extensions; so a limit on reported extensions is applied, to only show ones the game can take advantage of. Without the service, the game will crash on load on the newest cards with the latest Windows versions... (SiN has the same issue, rename sin to quake3.exe and see how it then works ;-p)

On Linux, this issue is handled in a much neater way with environment variables; but NVIDIA haven't written a daemon to intercept and inject env vars on the fly (yet).

Re:#WindowsRage

[rbprbp]

CP/M.

Local access.......

OMG NOOOOOOOOOO!!!!!!!!

Plan 9.

Plan 9 and most Micro Kernels. No root to escalate to \ from. Sometimes there's groups to worry about but non-*nix systems usually avoid stuff like sudoers or even plugdev and will use a lot more groups with far fewer privileges per group.

What? Local access isn't root on Windows?

[Kaz+Kylheku]

:)

No issue here

[dtfinch]

Every update I redisable all the nvidia services, startup tasks, and shell extensions, breaking nothing of value.

Very Good... apk

Spot on-Top Marks - mod him up to +5 INFORMATIVE people (if you have mod points that is, I don't)...

* I just tested it with Doom III, Quake IV, GLQuake/Tenebrae, & "alles ist goot"... you can dump running ALL Nvidia services in fact (the updater, the std. service for it, & 3dVision (unless a game requires it &/or you use it that is)).

Yes... it appears the "penguins" are 'reaching' & failing, in their usual "let's *try* shootdown Microsoft &/or Windows" with this one... & as usual, around here.

APK

P.S.=> Besides - afaik, this ISN'T a "remote exploit" (as in someone can't get your IP address & attempt to use it against you)... look @ the conditions required for it for Pete's sake!

I only cursorily read the summary & article + source, & it sounds like it's only good on a local network!

(IF you're not connected to one? Hell, no big deal @ all really, since you're on a 'stand-alone' system. If you keep your system fully currently patched + security-harden it?? Especially no biggie... nothing can take advantage of it (as in other malware that attempt to exploit this in the meantime prior to patching, & SOMETHING tells me, NVidia will have it fixed in a jiffy anyhow - they're not going to sit around for their BIGGEST MARKET ON PERSONAL COMPUTERS & let that be that way))...

... apk

Re:#WindowsRage

[VGPowerlord]

I know reading 101 is a fail for most /. users, but for fucks sake even the summary points out it is an NVidia exploit. Or do you somehow think Linux would be magically immune to a kernel level exploit in NVidia drivers?

Good job failing reading 101 yourself.

The summary points out that nVidia's Windows Service is exploitable rather than the display driver itself. Why would you think that would affect Linux?

Oh, and that's without even mentioning that Windows and Linux drivers aren't written in the same language (C++ for Windows, C for Linux) and don't use the same kernel API.

In NVidia's case for their driverset

The NVidia Control Panel has some 'niceties' for folks that don't manually "tweak & tune" their games via the game itself's native configuration files.

(OH, there's MORE TO IT than just that, that's just an example I've used @ times myself from its contents).

For example (since I am a HUGE longtime fan of IDSoftware & a /. member Mr. John Carmack's work)?

DoomCfg.cfg (Doom III) + Quake4.cfg (Quake4) allow a LOT of "little tricks" for both performance or visual quality. You can seriously "adjust" ID's games there, any way you like.

HOWEVER/Per my subject-line above:

What the control panel does is SAVE that for you (since the NVidia driver can override game configuration data for the driver to process), across MANY games!

All so you don't have to do all the reading & study to do it manually, game by game.

* That's about it though... guess it really depends on the user!

APK

P.S.=> More just a "matter of convenience" for users that aren't "big" on tweaking I'd say (however, gaming was what led ME to tweaking tuning my OS, + games, as far back as DOS 5.0 here, so I could get more outta them/more "bang-for-the-buck")...

... apk

Re:#WindowsRage

Oh the irony, He didn't say the exploit was in the driver, he said it was an Nvidia exploit and then pointed out a reasonably legitimate comparison for what NVidia has on Linux. If you are going to correct someone at least read what they fucking wrote.

Technically?

You can do that, & "easy as apple pie" too, as follows:

E.G.-> Open NVidia drivers with WinRar & extract out the Display.Driver folder someplace on your harddrive.

(That folder has the libs/dlls & .sys files necessary (+ other 'perhipheral files' too) & the .inf file, for doing exactly what you want!)

Then, just use devmgmt.msc to "update driver" for the video display device (Diplay Adapter) by clicking on it, & then right-clicking to "update driver" by pointing to the place you extract that folder out to on your harddisk.

* And, "voila" - should work!

APK

P.S.=> Should be as simple as that, per your request... IF you try this? Let me know how it works out - should be fine technically, & it's easy to "get out of too" by simply uninstalling the driver IF necesssary (system will default back to last driver or SVGA std.)...

... apk

I'm glad I have physical security.

[flayzernax]

And also anal about what kinda bullshit services people force to run in the backgrounds.

I sure as hell hope governments keep sensative information a little better then I do =) Wouldnt want the sekrets to the universe and UFOs and free energy get out.

Pastebin - removed - Backups anyone ?

[burni2]

he removed the exploit has anybody made backups and is willing to share them ? Because I have friends that will get into trouble when this is not fixed asap.

Re:Pastebin - removed - Backups anyone ?

[burni2]

Helped myself it seems to be copied on pastebin, just search for it ;) on paste.bin

Re:Pastebin - removed - Backups anyone ?

http://pastebin.com/AW9rtqYg

Re:Pastebin - removed - Backups anyone ?

Looks like Peter decentralized the source by using FD mailing list when he posted this: http://seclists.org/fulldisclosure/2012/Dec/261

This is why mailing lists are vitally important for information dissemination. Pastebin is a great resource but with mailing lists once it's been sent you cannot remove it.

Re:#WindowsRage

You mean from the Windows family? No, I can't name any. There always some bullshit way to get privilege escalation on any Windows system just as there are always going to be apologists trying to explain that it's normal, that we should lower our expectation and that, supposedly, all OSes are created equals when it comes to security.

Is that your point? That all the OSes are created equal when it comes to security?

I've seen pretty hardened SELinux or grsec boxen for that matter and, despite following closely every single security out there I've had servers that didn't any patching for... Years!

Sure, there may be some exploit once in a while, but it's hardly the fiasco that Windows is.

DO WHAT I DID (step by step)... apk

Run SERVICES.MSC - disable NVidia services there (or just set them MANUAL till you are SURE all your apps work - upon reboot especially)!

No reboot required for it to work here though!

SO, DO TEST like I did with your games or 3d display related apps -> http://it.slashdot.org/comments.pl?sid=3344029&cid=42406941

* That should make it doable for you, easily via GUI no less...

APK

P.S.=> It'll work, it did for me @ least & yes, ON Win7 64-bit!

(Addendum - I've done it before long ago on 32-bit NT-based OS for ages too, before I bought into the 64-bit world so I could do 64-bit apps, & test them here too, ala -> http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

... apk

"An attacker with local access"

Stopped reading there. If they've got local access they can do whatever the hell they want regardless, one more attack vector isn't going to make or break things.

Re:"An attacker with local access"

Incorrect. Physical local, yes all bets are off ie: FireWire and thundbolt both give DMA. Local can ( and does in this case) mean local account, as in the ability to execute arbitrary commands with a low privilege account such as domain user in corporate domain context. It's a remote attack in this context too because it listens on a named pipe ( which can be remotely queried) and DACL on this pipe is NULL allowing any domain account to query.

in genreral, Local access does not imply insecurity, look at iPhone for example. You can't just write to arbitrary unix files or access any memory location. Hell the binaries must be signed to execute. Local access is indeed harder to secure but certainly doesn't mean open.
Part of this problem is (D)ACLs (and like the Samsung /dev/exynos-mem File permission issue) that are misconfigured to be too permissive. Some bonehead couldn't get shit working so he said chmod 666 and went home. X years later in production someone discovers that any a user can arbitrarily write to things they shouldn't. Exploit public, people 0wned.

Re:#WindowsRage

[smash]

Windows 3.1

Re:#WindowsRage

[smash]

No, however the Linux Nvidia drivers run in kernel mode (video driver in Vista + runs in user space) and can thus do anything the kernel can do.

idiot: misquoting closed "binary blob" as "C code"

[girlinatrainingbra]

Dude, don't try to fuck with me by quoting me and and then misquoting me to argue against me by changing closed source "binary blob" into "C code". I was pointing out the foolishness of accepting closed source binary blobs. Your fuck-headed response was to conflate "closed source code" with "C code", perhaps implying "hard to read or understand code"? Too bad you can't wrap your head around code, or figure out how to get an account on /. instead of living your life anonymously and with extreme cowardice. Other people who can read the code and understand it would appreciate open code as opposed to closed code. Blah, blah, nya-nya-nanny-boo-boo, so there! (Laugh a little, you moron; if you want to argue with me, deal with my arguments rather than making a bitchy straw man argument which you can set on fire. Nobody argued your useless point of view!)
;>p
;>)
!!!

An Alternate Easy solution

[Taco+Cowboy]

Do not use Nvidia GPU.

There are GPUs from other vendors in the market.

Vote with your wallet.

Re:An Alternate Easy solution

[1s44c]

Exactly. Nvidia's binary blob drivers are a disaster waiting to happen on every platform.

I buy ATI whenever I get the chance.

Re:#WindowsRage

[1s44c]

Another exploit for this POS OS.

This one appears to be due to nvidia's binary drivers. Every platform is equally vulnerable to evil kernel level code.

Besides exploits for Windows are so frequent that they are not news. Unless they hit hundreds of thousands of exploits overnight it's just business as usual.

Re:#WindowsRage

[1s44c]

are you aware of any OS that does not suffer by privilege escalation exploits ? if so, be a dear and share it with the rest of us.

What a dumb reply.

There are hundreds of these a year on windows. Windows has so many security problems because it's based on a broken design.

Last nail in Ballmer's coffin

[gtirloni]

Windows 8 can't even prevent a kernel driver running in privileged space from doing this? Ewww...

Post FACTS/TRUTH on /. = GET DOWNMODDED

http://it.slashdot.org/comments.pl?sid=3344029&cid=42407525

Re:#WindowsRage

A user installs a backdoor with system privileges and it's the OS's fault?

Clearly it shouldn't have let you install nvidia drivers, or something.

Unfortunately the exploit had to be removed

[dgharmon]

"Unfortunately the exploit had to be removed, feel free to follow me on Twitter" .. link

Re:#WindowsRage

[MarbleMunkey]

Windows 3.1

... is not an operating system. Try again.