Nvidia Display Driver Service Attack Escalates Privileges On Windows Machines

L3sPau1 writes "A zero-day exploit has been found in the Nvidia Display Driver Service on Windows machines. An attacker with local access can use the exploit to gain root privileges on a Windows machine. Windows domains with relaxed firewall rules or file sharing enabled can also pull off the exploit, which was posted to Pastebin by researcher Peter Winter-Smith."

Easy solution

[Synerg1y]

Use Omega drivers, I stopped using Nvidia drivers about the time they started putting an Nvidia windows user on my systems for "gathering performance data".

Re:Easy solution

If they have "local access" hey can pretty much do what anyway

Re:Easy solution

[k_187]

You mean the nVidia Omega drivers based on a version from 2007? Or the ones that the creator said a year ago he'd no longer be able to support?

Re:Easy solution

[LordLimecat]

The guy who created them had neither the time nor the expertise to "develop" new drivers. He repackaged the bog-standard drivers and tweaked some settings, including opening up an already existing but hidden overclocking GUI.

If this guy was able to develop his own drivers from scratch, I have a feeling the Nouveau guys would be reaching out to him for information.

Re:Easy solution

[Synerg1y]

You're 100% correct about the source code, he never had access, however he did package the modded driver into its own installer and omega is considered a 3rd party driver. Don't underestimate the registry either, all the driver settings / a lot of the config are stored there. Some of these tweaks led to increased stability in the past. I'd have to agree they're out of date, but a lot of the cards it supports aren't getting new drivers / improvements from nvidia anytime soon either. I thought I'd just throw this out there for those looking for something else to try, especially with all the invasiveness of newer nvidia drivers.

You call that "editing?"

[CanHasDIY]

Here, Timmy, let me do your job for you:

A zero-day exploit has been found in the Nvidia Display Driver Service on Windows machines. An attacker with local access can use the exploit to gain root privileges on a Windows machine. Windows domains with relaxed firewall rules or file sharing enabled can also pull off the exploit, which was posted to Pastebin by researcher Peter Winter-Smith.

Granted, I've seen worse, but c'mon, man, you're getting paid for this shit.

Pay attention.

Re:You call that "editing?"

[girlinatrainingbra]

re Granted, I've seen worse
.
Actually, this is even worse than you think. Take a look at the original submission in which I commented hours ago: http://slashdot.org/firehose.pl?op=view&id=41570609

Note that the original submission (not by me but by "wiredmonkey") has a longer explanation and two copies of a link to the securityweek article in it. The security week article has the link to the Nvidia customer help site with the repaired/fixed driver blob in it. Timothy is somehow getting someone to copy prior submissions and actively take out the useful stuff before posting it to the front page! J'accuse! (finger pointing accusitorily)

root access

isn't the term root reserved for linux machines, isn't it called admin for windows?

Re:root access

[ais523]

Windows actually has two root-like permission levels, "administrator", and "SYSTEM" (which is higher and cannot be given to normal accounts). It might be interesting to know which the attack allows escalation to (although I think an attacker could do anything they cared about with only administrator-level permissions, they'd just have to do it a little indirectly).

Re:root access

[Bengie]

Ring 0 has to do with Kernel level, not user permissions.

"root" is like being an all-powerful dictator, Ring 0 is like being god and controlling the fabric of the Universe itself.

Re:root access

[LordLimecat]

Once you get admin, you could trivially install a service with system-level access to elevate yourself further. This was easily done on XP, where you could set cmd.exe to run as an interactive service, which when started presented you with a System-level command prompt.

It can be done on Windows 7 as well, though I believe you can no longer just do it with cmd.exe.

Re:root access

[dissy]

Grab psexec.exe from sysinternals, and as local admin simply run: psexec -i -s cmd.exe
You now have a command prompt window running as system cwd'd to the system32 dir.

Most windows domains will have psexec laying around somewhere anyways, or at least on servers. Easiest way to mass push remote commands to the workstations as domain admin.

Re:root access

[LordLimecat]

Thats not correct; there are certain times I ran into "access denied" attempting to kill some task (ie, some virus scanner process) as admin, while the same operation succeeded once I elevated to SYSTEM and killed the process there.

Security aside there were other differences, such as local environment obviously.

Re:root access

[Bryansix]

So you like Linux because Windows does its permissions levels EXACTLY THE SAME WAY? I'm confused.

Re:#WindowsRage

[gman003]

MS-DOS.

You kind of need "privileges" in order to have privilege escalation.

NVIDIA privilege escalation exploit

[girlinatrainingbra]

The article says enables an attacker to install a user on the target system, completely bypassing MicrosoftÃ(TM)s Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protections

I'm wondering if such a pipe system is used (or such a service is enabled) on the NVIDIA binary driver blob for the Linux kernel. Could that be another possible attack vector, or is that not possible with this?
.
NVIDIA for unix/Linux had another vulnerability earlier this year pointed out in the article at also at Nvidia's own customer web site http://nvidia.custhelp.com/app/answers/detail/a_id/3140 custhelp.com site for nvidia which showed that using VGA access to RAM allows indiscriminate access to RAM and possible escalation of user privileges with this memory access. Here's the comment from Dave Airlie at the email archive on seclists.org:

It basically abuses the fact that the /dev/nvidia0 device accept changes to the VGA window and moves the window around until it can read/write to somewhere useful in physical RAM, then it just does an priv escalation by writing directly to kernel memory.

Notice how with binary blobs how end-users are screwed and dependent upon the provider of the blob to fix things. Nvidia didn't do anything until after public disclosure of the bug, even though they were notified of the exploit more than three months earlier.

Disable nvsvc32

I believe there's no need to have the vulnerable nvsvc32.exe service running. It might break the NVIDIA control panel, but the driver should function properly with that service turned off. You could do that until a fixed version is available. The actual driver is named nvlddmkm.sys.

Re:severs are starting to use GPS for CPU tasks

Apparently, GPS offers more than location and time services. Unfortunately, I think GPS satellites are too high up to be considered "in the cloud." Maybe it's time for a new catchy phrase for them? Cloud 2.0? Or, better yet, Void. "I do all of my computing in the Void" has a nice ring to it.

It never dawned on me until just now, but with all of the added computing required of the GPS satellites, no wonder Apple Maps is having so many problems!

Mod him up, someone

Was running with this service disabled for a long time and didn't notice any ill effects except for missing NV Control panel - switching it to Manual or Automatic makes it work again.

Services.msc management console calls it "NVidia Display Driver Service". Just try stopping it first, if you're doubting an AC's word, and check how everything runs for you, then switch it to Disabled.

Re:Mod him up, someone

[Ash+Vince]

Was running with this service disabled for a long time and didn't notice any ill effects except for missing NV Control panel - switching it to Manual or Automatic makes it work again.

Services.msc management console calls it "NVidia Display Driver Service". Just try stopping it first, if you're doubting an AC's word, and check how everything runs for you, then switch it to Disabled.

Just to second this from a real slashdot user :)

I disabled this as it was taking up valuable CPU time on my old gaming laptop. I never saw any ill effects at all. I am sure it must have some purpose but I never figured out what it was disabling it stopped me doing and I ran my PC like that for years.

No issue here

[dtfinch]

Every update I redisable all the nvidia services, startup tasks, and shell extensions, breaking nothing of value.

Re:Even easier solution....

[1s44c]

BRO, dont ever, ever, ever get a job in infosec.

With the rash of companies losing all their data in recent years I think he already has.

Unfortunately the exploit had to be removed

[dgharmon]

"Unfortunately the exploit had to be removed, feel free to follow me on Twitter" .. link