Slashdot Mirror
Nvidia Display Driver Service Attack Escalates Privileges On Windows Machines
L3sPau1 writes "A zero-day exploit has been found in the Nvidia Display Driver Service on Windows machines. An attacker with local access can use the exploit to gain root privileges on a Windows machine. Windows domains with relaxed firewall rules or file sharing enabled can also pull off the exploit, which was posted to Pastebin by researcher Peter Winter-Smith."
You mean the nVidia Omega drivers based on a version from 2007? Or the ones that the creator said a year ago he'd no longer be able to support?
11 was a racehorse
12 was 12
1111 Race
12112
Windows actually has two root-like permission levels, "administrator", and "SYSTEM" (which is higher and cannot be given to normal accounts). It might be interesting to know which the attack allows escalation to (although I think an attacker could do anything they cared about with only administrator-level permissions, they'd just have to do it a little indirectly).
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
I'm wondering if such a pipe system is used (or such a service is enabled) on the NVIDIA binary driver blob for the Linux kernel. Could that be another possible attack vector, or is that not possible with this?
It basically abuses the fact that the.
NVIDIA for unix/Linux had another vulnerability earlier this year pointed out in the article at also at Nvidia's own customer web site http://nvidia.custhelp.com/app/answers/detail/a_id/3140 custhelp.com site for nvidia which showed that using VGA access to RAM allows indiscriminate access to RAM and possible escalation of user privileges with this memory access. Here's the comment from Dave Airlie at the email archive on seclists.org:
Notice how with binary blobs how end-users are screwed and dependent upon the provider of the blob to fix things. Nvidia didn't do anything until after public disclosure of the bug, even though they were notified of the exploit more than three months earlier.
I believe there's no need to have the vulnerable nvsvc32.exe service running. It might break the NVIDIA control panel, but the driver should function properly with that service turned off. You could do that until a fixed version is available. The actual driver is named nvlddmkm.sys.
Ring 0 has to do with Kernel level, not user permissions.
"root" is like being an all-powerful dictator, Ring 0 is like being god and controlling the fabric of the Universe itself.
Was running with this service disabled for a long time and didn't notice any ill effects except for missing NV Control panel - switching it to Manual or Automatic makes it work again.
Services.msc management console calls it "NVidia Display Driver Service". Just try stopping it first, if you're doubting an AC's word, and check how everything runs for you, then switch it to Disabled.
Just to second this from a real slashdot user :)
I disabled this as it was taking up valuable CPU time on my old gaming laptop. I never saw any ill effects at all. I am sure it must have some purpose but I never figured out what it was disabling it stopped me doing and I ran my PC like that for years.
I dont read
You're 100% correct about the source code, he never had access, however he did package the modded driver into its own installer and omega is considered a 3rd party driver. Don't underestimate the registry either, all the driver settings / a lot of the config are stored there. Some of these tweaks led to increased stability in the past. I'd have to agree they're out of date, but a lot of the cards it supports aren't getting new drivers / improvements from nvidia anytime soon either. I thought I'd just throw this out there for those looking for something else to try, especially with all the invasiveness of newer nvidia drivers.