Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
This discussion has been archived. No new comments can be posted.

Nvidia Display Driver Service Attack Escalates Privileges On Windows Machines

Comments Filter:
  • Easy solution (Score:4, Insightful)

    by Synerg1y (2169962) on Thursday December 27, 2012 @04:19PM (#42406011)
    Use Omega drivers, I stopped using Nvidia drivers about the time they started putting an Nvidia windows user on my systems for "gathering performance data".
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      If they have "local access" hey can pretty much do what anyway

    • Re:Easy solution (Score:5, Informative)

      by k_187 (61692) on Thursday December 27, 2012 @04:34PM (#42406145) Journal
      You mean the nVidia Omega drivers based on a version from 2007? Or the ones that the creator said a year ago he'd no longer be able to support?
    • by Anonymous Coward

      If you think the omega drivers aren't from Nvidia I have a bridge to sell you.

      • by Synerg1y (2169962)
        They're based on nvidia drivers, just like linux is based off of unix to a lesser extent, however what I appreciate the most about them is the installer isn't nearly as invasive, pretty sure it installs that extra user with just the drivers from the OEM, regardless of whether you choose to install the console or not. They used to serve a more important purpose and that's providing stable drivers the many times nvidia fell short.
        • The guy who created them had neither the time nor the expertise to "develop" new drivers. He repackaged the bog-standard drivers and tweaked some settings, including opening up an already existing but hidden overclocking GUI.

          If this guy was able to develop his own drivers from scratch, I have a feeling the Nouveau guys would be reaching out to him for information.

        • by Desler (1608317)

          The drivers are tweaked versions of those officially released by ATI and nVidia, mainly using registry tweaks and offering an alternative installer. They are not custom drivers compiled from source code.

          From here [wikipedia.org].

          So your comparison between Unix and Linux is quite laughably wrong. The Omega drivers are just the official drivers packaged with registry tweaks and an alternate installer. Nothing more.

    • Are you kidding? All the guy did was disable registry entries that locked you from doing dumb crap like overclocking an integrated chipset. He also removed the stuff that makes sure that your device is actually supported by the driver, so the omega drivers are basically the spray and pray version of hardware support.
  • by CanHasDIY (1672858) on Thursday December 27, 2012 @04:20PM (#42406023) Homepage Journal
    Here, Timmy, let me do your job for you:

    A zero-day exploit has been found in the Nvidia Display Driver Service on Windows machines. [threatpost.com] An attacker with local access can use the exploit to gain root privileges on a Windows machine. Windows domains with relaxed firewall rules or file sharing enabled can also pull off the exploit, which was posted to Pastebin [pastebin.com] by researcher Peter Winter-Smith.

    Granted, I've seen worse, but c'mon, man, you're getting paid for this shit.

    Pay attention.

    • Re: (Score:3, Interesting)

      re Granted, I've seen worse
      Actually, this is even worse than you think. Take a look at the original submission in which I commented hours ago:
      http://slashdot.org/firehose.pl?op=view&id=41570609 [slashdot.org]

      Note that the original submission (not by me but by "wiredmonkey") has a longer explanation and two copies of a link to the securityweek article in it. The security week article has the link to the Nvidia customer help site with the repaired/fixed driver blob in it. Timothy is somehow getting someone to c

    • by Jeng (926980)

      That may actually prove to be a good tactic to get them to do better.

      In the past most people just call them names, actually posting a corrected version of the submission shows the "editors" what they need to be doing.

      Personally bad grammar doesn't faze me, but for the grammar nazis out there this is better than just calling the editors names.

      • As a grammar nazi (who, admittedly, commits apostrophe abuse on a regular basis), I tend to agree.

        As a person who understands human nature fairly well, I completely agree - the old adage, 'you catch more flies with honey than with vinegar,' rings true in more ways than one. Insults only serve to cause the one being insulted to close up mentally, thus making it impossible to educate them to their mistakes after that point.

        Anyone interested in the most effective ways to encourage certain behavior (wi
    • by l0ungeb0y (442022)

      On Slashdot the "Editing" job duties consist solely of hitting the "approve" button on selected story submissions.

    • by 1s44c (552956)

      I'm pretty sure that's system privileges, not root privileges.

  • root access (Score:2, Informative)

    by Anonymous Coward

    isn't the term root reserved for linux machines, isn't it called admin for windows?

    • by Anonymous Coward

      Not really. "Root" has stronger connotations on windows.

    • by Anonymous Coward
      Not really, it is just a term used for the top level system access. Sometimes called admin or superuser, root is just the standard name used for unix. In windows now especially it is probably better to refer to root or system level access as even admin accounts "can" have certain restrictions applied to them.
    • by DragonTHC (208439)

      has to do with security rings. They mean ring 0.

    • Re:root access (Score:5, Informative)

      by ais523 (1172701) <ais523(524\)(525)x)@bham.ac.uk> on Thursday December 27, 2012 @04:37PM (#42406169)
      Windows actually has two root-like permission levels, "administrator", and "SYSTEM" (which is higher and cannot be given to normal accounts). It might be interesting to know which the attack allows escalation to (although I think an attacker could do anything they cared about with only administrator-level permissions, they'd just have to do it a little indirectly).
      • Re:root access (Score:4, Informative)

        by LordLimecat (1103839) on Thursday December 27, 2012 @06:01PM (#42406757)

        Once you get admin, you could trivially install a service with system-level access to elevate yourself further. This was easily done on XP, where you could set cmd.exe to run as an interactive service, which when started presented you with a System-level command prompt.

        It can be done on Windows 7 as well, though I believe you can no longer just do it with cmd.exe.

        • On XP, root and SYSTEM are functionally identical. It wasn't until Vista introduced UAC that they became different (because Administrator is subject to UAC, but SYSTEM isn't).

          • Thats not correct; there are certain times I ran into "access denied" attempting to kill some task (ie, some virus scanner process) as admin, while the same operation succeeded once I elevated to SYSTEM and killed the process there.

            Security aside there were other differences, such as local environment obviously.

      • Re:root access (Score:4, Informative)

        by dissy (172727) on Thursday December 27, 2012 @07:00PM (#42407165)

        Grab psexec.exe from sysinternals, and as local admin simply run: psexec -i -s cmd.exe
        You now have a command prompt window running as system cwd'd to the system32 dir.

        Most windows domains will have psexec laying around somewhere anyways, or at least on servers. Easiest way to mass push remote commands to the workstations as domain admin.

        • by Bryansix (761547)
          Easiest? No. Anything in a command line is not "easy". It is fully functional? Yes. However I would rather choose a script from a drop down menu, select the comps from the left and drag to the right, choose a time, and hit "run". I can do this with N-Central. You just have to pay for that solution.
          • Anything in a command line is not "easy".

            Nice absolute. Not all command lines are created equal, look at the abortion that is PowerShell but at least Windows has ls. Off of the top top of my head: how about copying files in a directory, let's say files/photos/resumes/songs/logs organized by first and last name delimited with a space, and you want all of the Bs. It's clumsy at best with the GUI. How about renaming all of them to replace the spaces with an underscore? Its not like anyone manages music collections... with specific regard to admin tas

            • by Bryansix (761547)
              Wow. You totally missed the point. Of course you have to download, deploy and support N-Central but if you think all it does is make schedule scripts then you are sorely mistaken. Funny you mention google. Maybe you could type N-Central into google and educate yourself.
              • by dissy (172727)

                On a side note, I actually did google for N-center after you mentioned it (I've never heard of it before, and am always looking for new tools to help make running windows less painful)

                The first thought I had was, this program has literally nothing to do with what myself or ais523 were speaking of in this thread - specifically relating to the administrator and system accounts in windows, or how to gain access to the system account.
                N-Central doesn't appear to operate at a level above administrator...

                For being

              • Maybe you could type N-Central into google and educate yourself.

                Do you have a N-Central GUI recommendation for creating the query?

          • by dissy (172727)

            However I would rather choose a script from a drop down menu, select the comps from the left and drag to the right, choose a time, and hit "run". I can do this with N-Central. You just have to pay for that solution.

            I'll stick with my psexec, bat, and tcl scripts. I'd much rather just double click a single icon and have the script figure out what hosts need the action performed on and simply do it all for me.

            But to each their own :}

            • by Bryansix (761547)
              Oh, well N-Central does that too because we've combined it with Ninite so it can figure out if a third party app is updated or not and installed it. That's just one example.
  • by girlinatrainingbra (2738457) on Thursday December 27, 2012 @04:38PM (#42406171)
    The article says
    enables an attacker to install a user on the target system, completely bypassing MicrosoftÃ(TM)s Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protections

    I'm wondering if such a pipe system is used (or such a service is enabled) on the NVIDIA binary driver blob for the Linux kernel. Could that be another possible attack vector, or is that not possible with this?
    NVIDIA for unix/Linux had another vulnerability earlier this year pointed out in the article at also at Nvidia's own customer web site http://nvidia.custhelp.com/app/answers/detail/a_id/3140 [custhelp.com] custhelp.com site for nvidia [custhelp.com] which showed that using VGA access to RAM allows indiscriminate access to RAM and possible escalation of user privileges with this memory access. Here's the comment from Dave Airlie at the email archive on seclists.org [seclists.org]:

    It basically abuses the fact that the /dev/nvidia0 device accept changes to the VGA window and moves the window around until it can read/write to somewhere useful in physical RAM, then it just does an priv escalation by writing directly to kernel memory.

    Notice how with binary blobs how end-users are screwed and dependent upon the provider of the blob to fix things. Nvidia didn't do anything until after public disclosure of the bug, even though they were notified of the exploit more than three months earlier.

  • by Anonymous Coward

    If it were going to put people at risk I'd not have released exploit code and I'd have informed the vendor and kept quiet until a fix were issued.

    Just when you were scoring high marks, you had to keep flapping your jaws. Vendors (especially NVidia) do not traditionally respond to polite suggestions regarding their buggy code -- you would have eventually been forced to go public, and the vulnerability would have gone that much longer unaddressed. People with insecure systems that would otherwise be none-the-wiser can now take steps to protect themselves until a patch can be developed. There is no reason to sit on this, even if it were easier to exploi

  • Disable nvsvc32 (Score:5, Informative)

    by Anonymous Coward on Thursday December 27, 2012 @05:06PM (#42406375)

    I believe there's no need to have the vulnerable nvsvc32.exe service running. It might break the NVIDIA control panel, but the driver should function properly with that service turned off. You could do that until a fixed version is available. The actual driver is named nvlddmkm.sys.

    • Mod him up, someone (Score:2, Informative)

      by Anonymous Coward

      Was running with this service disabled for a long time and didn't notice any ill effects except for missing NV Control panel - switching it to Manual or Automatic makes it work again.

      Services.msc management console calls it "NVidia Display Driver Service". Just try stopping it first, if you're doubting an AC's word, and check how everything runs for you, then switch it to Disabled.

      • by Ash Vince (602485) * on Thursday December 27, 2012 @05:50PM (#42406669) Journal

        Was running with this service disabled for a long time and didn't notice any ill effects except for missing NV Control panel - switching it to Manual or Automatic makes it work again.

        Services.msc management console calls it "NVidia Display Driver Service". Just try stopping it first, if you're doubting an AC's word, and check how everything runs for you, then switch it to Disabled.

        Just to second this from a real slashdot user :)

        I disabled this as it was taking up valuable CPU time on my old gaming laptop. I never saw any ill effects at all. I am sure it must have some purpose but I never figured out what it was disabling it stopped me doing and I ran my PC like that for years.

        • Indeed. Goes for any of these 'enhanced' shitware progs. Just install the basic drivers and in my experience, (all windows from XP) up, through all cards, everything works fine. Of course, they sometimes make it really hard to just install the drivers - i wonder why?

          • by Anonymous Coward

            The NVidia Control Panel has some 'niceties' for folks that don't manually "tweak & tune" their games via the game itself's native configuration files.

            (OH, there's MORE TO IT than just that, that's just an example I've used @ times myself from its contents).

            For example (since I am a HUGE longtime fan of IDSoftware & a /. member Mr. John Carmack's work)?

            DoomCfg.cfg (Doom III) + Quake4.cfg (Quake4) allow a LOT of "little tricks" for both performance or visual quality. You can seriously "adjust" ID's g

          • "Indeed"

            Win7 64-bit here.

            Since I switched over to Win7 from XP, I've gotten into the habit of letting Windows find the drivers for everything when setting up a new machine. Just plug all that shit in and see what happens--9 times out of ten Windows nails it and the device simply works. My wife has this elderly HP All-in-One Printer/scanner that comes with a massive package of software, all of which installs with the drivers if I use the provided install disk. I ended up with numerous services running that w

            • by Khyber (864651)

              "Even the driver for my video card that Win7 found was only one version older then the latest one available at the manufacturers website (Perhaps MS stays clear of the newest ones until the bugs are worked out,"

              No, the latest drivers hadn't passed WDDM certification.

        • by Lashat (1041424)

          I wish NVIDIA distriubted a driver that could be installed via the .inf file using the Windows Control Panel.

          Wouldn't this solve the problem.

          • by Anonymous Coward

            You can do that, & "easy as apple pie" too, as follows:

            E.G.-> Open NVidia drivers with WinRar & extract out the Display.Driver folder someplace on your harddrive.

            (That folder has the libs/dlls & .sys files necessary (+ other 'perhipheral files' too) & the .inf file, for doing exactly what you want!)

            Then, just use devmgmt.msc to "update driver" for the video display device (Diplay Adapter) by clicking on it, & then right-clicking to "update driver" by pointing to the place you extract

    • by Quietust (205670)

      I just tried disabling nvsvc32, but I discovered that it doesn't exist on my system - the NVIDIA Display Driver Service is named "nvvsvc.exe" (and the Update Service Daemon is "daemonu.exe"), and while I did find an "nvsvc64.dll", I could not find a single file named "nvsvc32.exe" anywhere on my system.

      Is this something that only exists in the 32-bit drivers (I'm running Win7 x64), or is it something that disappeared in the 310.70 drivers released last week?

    • by Krneki (1192201)

      Or just use a firewall / router to block access to your PC from the outside. And if you don't do this already you are a zombie (botnet).

      But I do agree with you, the extra features available through the service are most of the time not needed and I have no idea why they insist on forcing us to have this crap running in the background.

  • by dtfinch (661405) * on Thursday December 27, 2012 @06:24PM (#42406927) Journal

    Every update I redisable all the nvidia services, startup tasks, and shell extensions, breaking nothing of value.

  • And also anal about what kinda bullshit services people force to run in the backgrounds.

    I sure as hell hope governments keep sensative information a little better then I do =) Wouldnt want the sekrets to the universe and UFOs and free energy get out.

  • he removed the exploit has anybody made backups and is willing to share them ? Because I have friends that will get into trouble when this is not fixed asap.

    • by burni2 (1643061)

      Helped myself it seems to be copied on pastebin, just search for it ;) on paste.bin

      • by Anonymous Coward

        Looks like Peter decentralized the source by using FD mailing list when he posted this: http://seclists.org/fulldisclosure/2012/Dec/261

        This is why mailing lists are vitally important for information dissemination. Pastebin is a great resource but with mailing lists once it's been sent you cannot remove it.

  • by Anonymous Coward

    Stopped reading there. If they've got local access they can do whatever the hell they want regardless, one more attack vector isn't going to make or break things.

    • by Anonymous Coward

      Incorrect. Physical local, yes all bets are off ie: FireWire and thundbolt both give DMA. Local can ( and does in this case) mean local account, as in the ability to execute arbitrary commands with a low privilege account such as domain user in corporate domain context. It's a remote attack in this context too because it listens on a named pipe ( which can be remotely queried) and DACL on this pipe is NULL allowing any domain account to query.

      in genreral, Local access does not imply insecurity, look at iPho

  • Windows 8 can't even prevent a kernel driver running in privileged space from doing this? Ewww...
  • by dgharmon (2564621) on Friday December 28, 2012 @06:36PM (#42414581) Homepage
    "Unfortunately the exploit had to be removed, feel free to follow me on Twitter" .. link [pastebin.com]

What is algebra, exactly? Is it one of those three-cornered things? -- J.M. Barrie