Nvidia Display Driver Service Attack Escalates Privileges On Windows Machines 129
L3sPau1 writes "A zero-day exploit has been found in the Nvidia Display Driver Service on Windows machines. An attacker with local access can use the exploit to gain root privileges on a Windows machine. Windows domains with relaxed firewall rules or file sharing enabled can also pull off the exploit, which was posted to Pastebin by researcher Peter Winter-Smith."
root access (Score:2, Informative)
isn't the term root reserved for linux machines, isn't it called admin for windows?
Re:Easy solution (Score:5, Informative)
Re:root access (Score:5, Informative)
NVIDIA privilege escalation exploit (Score:5, Informative)
I'm wondering if such a pipe system is used (or such a service is enabled) on the NVIDIA binary driver blob for the Linux kernel. Could that be another possible attack vector, or is that not possible with this?
.
NVIDIA for unix/Linux had another vulnerability earlier this year pointed out in the article at also at Nvidia's own customer web site http://nvidia.custhelp.com/app/answers/detail/a_id/3140 [custhelp.com] custhelp.com site for nvidia [custhelp.com] which showed that using VGA access to RAM allows indiscriminate access to RAM and possible escalation of user privileges with this memory access. Here's the comment from Dave Airlie at the email archive on seclists.org [seclists.org]:
Notice how with binary blobs how end-users are screwed and dependent upon the provider of the blob to fix things. Nvidia didn't do anything until after public disclosure of the bug, even though they were notified of the exploit more than three months earlier.
Disable nvsvc32 (Score:5, Informative)
I believe there's no need to have the vulnerable nvsvc32.exe service running. It might break the NVIDIA control panel, but the driver should function properly with that service turned off. You could do that until a fixed version is available. The actual driver is named nvlddmkm.sys.
Mod him up, someone (Score:2, Informative)
Was running with this service disabled for a long time and didn't notice any ill effects except for missing NV Control panel - switching it to Manual or Automatic makes it work again.
Services.msc management console calls it "NVidia Display Driver Service". Just try stopping it first, if you're doubting an AC's word, and check how everything runs for you, then switch it to Disabled.
Re:root access (Score:5, Informative)
"root" is like being an all-powerful dictator, Ring 0 is like being god and controlling the fabric of the Universe itself.
Re:Mod him up, someone (Score:5, Informative)
Was running with this service disabled for a long time and didn't notice any ill effects except for missing NV Control panel - switching it to Manual or Automatic makes it work again.
Services.msc management console calls it "NVidia Display Driver Service". Just try stopping it first, if you're doubting an AC's word, and check how everything runs for you, then switch it to Disabled.
Just to second this from a real slashdot user :)
I disabled this as it was taking up valuable CPU time on my old gaming laptop. I never saw any ill effects at all. I am sure it must have some purpose but I never figured out what it was disabling it stopped me doing and I ran my PC like that for years.
Re:root access (Score:4, Informative)
Once you get admin, you could trivially install a service with system-level access to elevate yourself further. This was easily done on XP, where you could set cmd.exe to run as an interactive service, which when started presented you with a System-level command prompt.
It can be done on Windows 7 as well, though I believe you can no longer just do it with cmd.exe.
Re:Easy solution (Score:5, Informative)
Re:root access (Score:4, Informative)
Grab psexec.exe from sysinternals, and as local admin simply run: psexec -i -s cmd.exe
You now have a command prompt window running as system cwd'd to the system32 dir.
Most windows domains will have psexec laying around somewhere anyways, or at least on servers. Easiest way to mass push remote commands to the workstations as domain admin.