Nvidia Display Driver Service Attack Escalates Privileges On Windows Machines 129
Posted
by
timothy
from the knowledge-counteracts dept.
from the knowledge-counteracts dept.
L3sPau1 writes "A zero-day exploit has been found in the Nvidia Display Driver Service on Windows machines. An attacker with local access can use the exploit to gain root privileges on a Windows machine. Windows domains with relaxed firewall rules or file sharing enabled can also pull off the exploit, which was posted to Pastebin by researcher Peter Winter-Smith."
Easy solution (Score:4, Insightful)
Re: (Score:2, Insightful)
If they have "local access" hey can pretty much do what anyway
An Alternate Easy solution (Score:1, Troll)
Do not use Nvidia GPU.
There are GPUs from other vendors in the market.
Vote with your wallet.
Re: (Score:2)
Exactly. Nvidia's binary blob drivers are a disaster waiting to happen on every platform.
I buy ATI whenever I get the chance.
Re:Easy solution (Score:5, Informative)
Re: (Score:1)
If you think the omega drivers aren't from Nvidia I have a bridge to sell you.
Re: (Score:2)
Re:Easy solution (Score:5, Informative)
Re: (Score:3)
The guy who created them had neither the time nor the expertise to "develop" new drivers. He repackaged the bog-standard drivers and tweaked some settings, including opening up an already existing but hidden overclocking GUI.
If this guy was able to develop his own drivers from scratch, I have a feeling the Nouveau guys would be reaching out to him for information.
Re: (Score:1)
The drivers are tweaked versions of those officially released by ATI and nVidia, mainly using registry tweaks and offering an alternative installer. They are not custom drivers compiled from source code.
From here [wikipedia.org].
So your comparison between Unix and Linux is quite laughably wrong. The Omega drivers are just the official drivers packaged with registry tweaks and an alternate installer. Nothing more.
Re: (Score:1)
You call that "editing?" (Score:5, Insightful)
A zero-day exploit has been found in the Nvidia Display Driver Service on Windows machines. [threatpost.com] An attacker with local access can use the exploit to gain root privileges on a Windows machine. Windows domains with relaxed firewall rules or file sharing enabled can also pull off the exploit, which was posted to Pastebin [pastebin.com] by researcher Peter Winter-Smith.
Granted, I've seen worse, but c'mon, man, you're getting paid for this shit.
Pay attention.
Re: (Score:3, Interesting)
.
Actually, this is even worse than you think. Take a look at the original submission in which I commented hours ago:
Note that the original submission (not by me but by "wiredmonkey") has a longer explanation and two copies of a link to the securityweek article in it. The security week article has the link to the Nvidia customer help site with the repaired/fixed driver blob in it. Timothy is somehow getting someone to c
Re: (Score:2)
When were the trolls banished?
Make a damn name and stop tagging AC posts.
Re: (Score:2)
He already has one [slashdot.org].
Re: (Score:2)
That bears absolutely no resemblance to going round posting trolls as AC and tagging them with one's username as you and Ethanol-fuelled are wont to do.
Re: (Score:2)
Ever since the Negroes and liberals took over this site and America, it has gone to shit. Why do the socialists hate this country?
-- Ethanol-fueled
Abducting people from the streets of Europe in violation of the laws of the countries they were abducted from, using tourture on these people, and refusing these people a fair trial did a great amount of harm to the image of your country.
But if you mean by 'gone to shit' that the money has run out, well that's what you get if you are constantly at war. Wars cost a lot of money.
Re: (Score:2)
That may actually prove to be a good tactic to get them to do better.
In the past most people just call them names, actually posting a corrected version of the submission shows the "editors" what they need to be doing.
Personally bad grammar doesn't faze me, but for the grammar nazis out there this is better than just calling the editors names.
Re: (Score:2)
As a person who understands human nature fairly well, I completely agree - the old adage, 'you catch more flies with honey than with vinegar,' rings true in more ways than one. Insults only serve to cause the one being insulted to close up mentally, thus making it impossible to educate them to their mistakes after that point.
Anyone interested in the most effective ways to encourage certain behavior (wi
Re: (Score:2)
On Slashdot the "Editing" job duties consist solely of hitting the "approve" button on selected story submissions.
Re: (Score:2)
I'm pretty sure that's system privileges, not root privileges.
root access (Score:2, Informative)
isn't the term root reserved for linux machines, isn't it called admin for windows?
Re: (Score:1)
Not really. "Root" has stronger connotations on windows.
Re: (Score:1)
Re: (Score:2)
A user with admin privileges can gain system level access.
Re: (Score:2)
has to do with security rings. They mean ring 0.
Re:root access (Score:5, Informative)
"root" is like being an all-powerful dictator, Ring 0 is like being god and controlling the fabric of the Universe itself.
Re:root access (Score:5, Informative)
Re:root access (Score:4, Informative)
Once you get admin, you could trivially install a service with system-level access to elevate yourself further. This was easily done on XP, where you could set cmd.exe to run as an interactive service, which when started presented you with a System-level command prompt.
It can be done on Windows 7 as well, though I believe you can no longer just do it with cmd.exe.
Re: (Score:2)
On XP, root and SYSTEM are functionally identical. It wasn't until Vista introduced UAC that they became different (because Administrator is subject to UAC, but SYSTEM isn't).
Re: (Score:3)
Thats not correct; there are certain times I ran into "access denied" attempting to kill some task (ie, some virus scanner process) as admin, while the same operation succeeded once I elevated to SYSTEM and killed the process there.
Security aside there were other differences, such as local environment obviously.
Re:root access (Score:4, Informative)
Grab psexec.exe from sysinternals, and as local admin simply run: psexec -i -s cmd.exe
You now have a command prompt window running as system cwd'd to the system32 dir.
Most windows domains will have psexec laying around somewhere anyways, or at least on servers. Easiest way to mass push remote commands to the workstations as domain admin.
Re: (Score:1)
Re: (Score:2)
Anything in a command line is not "easy".
Nice absolute. Not all command lines are created equal, look at the abortion that is PowerShell but at least Windows has ls. Off of the top top of my head: how about copying files in a directory, let's say files/photos/resumes/songs/logs organized by first and last name delimited with a space, and you want all of the Bs. It's clumsy at best with the GUI. How about renaming all of them to replace the spaces with an underscore? Its not like anyone manages music collections... with specific regard to admin tas
Re: (Score:2)
Re: (Score:2)
On a side note, I actually did google for N-center after you mentioned it (I've never heard of it before, and am always looking for new tools to help make running windows less painful)
The first thought I had was, this program has literally nothing to do with what myself or ais523 were speaking of in this thread - specifically relating to the administrator and system accounts in windows, or how to gain access to the system account.
N-Central doesn't appear to operate at a level above administrator...
For being
Re: (Score:2)
Maybe you could type N-Central into google and educate yourself.
Do you have a N-Central GUI recommendation for creating the query?
Re: (Score:2)
However I would rather choose a script from a drop down menu, select the comps from the left and drag to the right, choose a time, and hit "run". I can do this with N-Central. You just have to pay for that solution.
I'll stick with my psexec, bat, and tcl scripts. I'd much rather just double click a single icon and have the script figure out what hosts need the action performed on and simply do it all for me.
But to each their own :}
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
NVIDIA privilege escalation exploit (Score:5, Informative)
I'm wondering if such a pipe system is used (or such a service is enabled) on the NVIDIA binary driver blob for the Linux kernel. Could that be another possible attack vector, or is that not possible with this?
.
NVIDIA for unix/Linux had another vulnerability earlier this year pointed out in the article at also at Nvidia's own customer web site http://nvidia.custhelp.com/app/answers/detail/a_id/3140 [custhelp.com] custhelp.com site for nvidia [custhelp.com] which showed that using VGA access to RAM allows indiscriminate access to RAM and possible escalation of user privileges with this memory access. Here's the comment from Dave Airlie at the email archive on seclists.org [seclists.org]:
Notice how with binary blobs how end-users are screwed and dependent upon the provider of the blob to fix things. Nvidia didn't do anything until after public disclosure of the bug, even though they were notified of the exploit more than three months earlier.
Re: (Score:2)
idiot: misquoting closed "binary blob" as "C code" (Score:2)
Re: (Score:2)
Hm, dunno how that got posted AC, but it was me.
severs are starting to use GPS for CPU tasks (Score:1)
severs are starting to use GPS for CPU tasks
Re: (Score:2, Funny)
Apparently, GPS offers more than location and time services. Unfortunately, I think GPS satellites are too high up to be considered "in the cloud." Maybe it's time for a new catchy phrase for them? Cloud 2.0? Or, better yet, Void. "I do all of my computing in the Void" has a nice ring to it.
It never dawned on me until just now, but with all of the added computing required of the GPS satellites, no wonder Apple Maps is having so many problems!
Re: (Score:3)
BRO, dont ever, ever, ever get a job in infosec.
With the rash of companies losing all their data in recent years I think he already has.
Stop talking (Score:1)
If it were going to put people at risk I'd not have released exploit code and I'd have informed the vendor and kept quiet until a fix were issued.
Just when you were scoring high marks, you had to keep flapping your jaws. Vendors (especially NVidia) do not traditionally respond to polite suggestions regarding their buggy code -- you would have eventually been forced to go public, and the vulnerability would have gone that much longer unaddressed. People with insecure systems that would otherwise be none-the-wiser can now take steps to protect themselves until a patch can be developed. There is no reason to sit on this, even if it were easier to exploi
Disable nvsvc32 (Score:5, Informative)
I believe there's no need to have the vulnerable nvsvc32.exe service running. It might break the NVIDIA control panel, but the driver should function properly with that service turned off. You could do that until a fixed version is available. The actual driver is named nvlddmkm.sys.
Mod him up, someone (Score:2, Informative)
Was running with this service disabled for a long time and didn't notice any ill effects except for missing NV Control panel - switching it to Manual or Automatic makes it work again.
Services.msc management console calls it "NVidia Display Driver Service". Just try stopping it first, if you're doubting an AC's word, and check how everything runs for you, then switch it to Disabled.
Re:Mod him up, someone (Score:5, Informative)
Was running with this service disabled for a long time and didn't notice any ill effects except for missing NV Control panel - switching it to Manual or Automatic makes it work again.
Services.msc management console calls it "NVidia Display Driver Service". Just try stopping it first, if you're doubting an AC's word, and check how everything runs for you, then switch it to Disabled.
Just to second this from a real slashdot user :)
I disabled this as it was taking up valuable CPU time on my old gaming laptop. I never saw any ill effects at all. I am sure it must have some purpose but I never figured out what it was disabling it stopped me doing and I ran my PC like that for years.
Re: (Score:2)
Indeed. Goes for any of these 'enhanced' shitware progs. Just install the basic drivers and in my experience, (all windows from XP) up, through all cards, everything works fine. Of course, they sometimes make it really hard to just install the drivers - i wonder why?
In NVidia's case for their driverset (Score:1)
The NVidia Control Panel has some 'niceties' for folks that don't manually "tweak & tune" their games via the game itself's native configuration files.
(OH, there's MORE TO IT than just that, that's just an example I've used @ times myself from its contents).
For example (since I am a HUGE longtime fan of IDSoftware & a /. member Mr. John Carmack's work)?
DoomCfg.cfg (Doom III) + Quake4.cfg (Quake4) allow a LOT of "little tricks" for both performance or visual quality. You can seriously "adjust" ID's g
Re: (Score:2)
"Indeed"
Win7 64-bit here.
Since I switched over to Win7 from XP, I've gotten into the habit of letting Windows find the drivers for everything when setting up a new machine. Just plug all that shit in and see what happens--9 times out of ten Windows nails it and the device simply works. My wife has this elderly HP All-in-One Printer/scanner that comes with a massive package of software, all of which installs with the drivers if I use the provided install disk. I ended up with numerous services running that w
Re: (Score:2)
"Even the driver for my video card that Win7 found was only one version older then the latest one available at the manufacturers website (Perhaps MS stays clear of the newest ones until the bugs are worked out,"
No, the latest drivers hadn't passed WDDM certification.
Re: (Score:2)
I wish NVIDIA distriubted a driver that could be installed via the .inf file using the Windows Control Panel.
Wouldn't this solve the problem.
Technically? (Score:1)
You can do that, & "easy as apple pie" too, as follows:
E.G.-> Open NVidia drivers with WinRar & extract out the Display.Driver folder someplace on your harddrive.
(That folder has the libs/dlls & .sys files necessary (+ other 'perhipheral files' too) & the .inf file, for doing exactly what you want!)
Then, just use devmgmt.msc to "update driver" for the video display device (Diplay Adapter) by clicking on it, & then right-clicking to "update driver" by pointing to the place you extract
Re: (Score:2)
I just tried disabling nvsvc32, but I discovered that it doesn't exist on my system - the NVIDIA Display Driver Service is named "nvvsvc.exe" (and the Update Service Daemon is "daemonu.exe"), and while I did find an "nvsvc64.dll", I could not find a single file named "nvsvc32.exe" anywhere on my system.
Is this something that only exists in the 32-bit drivers (I'm running Win7 x64), or is it something that disappeared in the 310.70 drivers released last week?
Re: (Score:2)
Or just use a firewall / router to block access to your PC from the outside. And if you don't do this already you are a zombie (botnet).
But I do agree with you, the extra features available through the service are most of the time not needed and I have no idea why they insist on forcing us to have this crap running in the background.
What? Local access isn't root on Windows? (Score:1)
:)
No issue here (Score:3)
Every update I redisable all the nvidia services, startup tasks, and shell extensions, breaking nothing of value.
I'm glad I have physical security. (Score:1)
And also anal about what kinda bullshit services people force to run in the backgrounds.
I sure as hell hope governments keep sensative information a little better then I do =) Wouldnt want the sekrets to the universe and UFOs and free energy get out.
Pastebin - removed - Backups anyone ? (Score:1)
he removed the exploit has anybody made backups and is willing to share them ? Because I have friends that will get into trouble when this is not fixed asap.
Re: (Score:1)
Helped myself it seems to be copied on pastebin, just search for it ;) on paste.bin
Re: (Score:1)
Looks like Peter decentralized the source by using FD mailing list when he posted this: http://seclists.org/fulldisclosure/2012/Dec/261
This is why mailing lists are vitally important for information dissemination. Pastebin is a great resource but with mailing lists once it's been sent you cannot remove it.
"An attacker with local access" (Score:1)
Stopped reading there. If they've got local access they can do whatever the hell they want regardless, one more attack vector isn't going to make or break things.
Re: (Score:1)
Incorrect. Physical local, yes all bets are off ie: FireWire and thundbolt both give DMA. Local can ( and does in this case) mean local account, as in the ability to execute arbitrary commands with a low privilege account such as domain user in corporate domain context. It's a remote attack in this context too because it listens on a named pipe ( which can be remotely queried) and DACL on this pipe is NULL allowing any domain account to query.
in genreral, Local access does not imply insecurity, look at iPho
Last nail in Ballmer's coffin (Score:1)
Unfortunately the exploit had to be removed (Score:3)
Re: (Score:1)
Re:#WindowsRage (Score:4, Funny)
MS-DOS.
You kind of need "privileges" in order to have privilege escalation.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
are you aware of any OS that does not suffer by privilege escalation exploits ? if so, be a dear and share it with the rest of us.
What a dumb reply.
There are hundreds of these a year on windows. Windows has so many security problems because it's based on a broken design.
Re: (Score:2)
Re: (Score:2)
Windows 3.1
... is not an operating system. Try again.
Re: (Score:1)
Linux Nvidia drivers don't open an SMB named pipe (which, for added bonus can be used for remote attacks from same domain), so this one exploit is pretty much Windows specific. And yeah, you just proved your point.
Re: (Score:1)
Re: (Score:1)
Clearly a windows specific problem.
THIS COULD NEVER HAPPEN ON LINUX.... except that one time when it did.
http://www.zdnet.com/privilege-escalation-security-hole-found-in-nvidia-linux-driver-7000001986/
Re: (Score:2)
Re: (Score:2)
I know reading 101 is a fail for most /. users, but for fucks sake even the summary points out it is an NVidia exploit. Or do you somehow think Linux would be magically immune to a kernel level exploit in NVidia drivers?
Good job failing reading 101 yourself.
The summary points out that nVidia's Windows Service is exploitable rather than the display driver itself. Why would you think that would affect Linux?
Oh, and that's without even mentioning that Windows and Linux drivers aren't written in the same language (C++ for Windows, C for Linux) and don't use the same kernel API.
Re: (Score:2)
Another exploit for this POS OS.
This one appears to be due to nvidia's binary drivers. Every platform is equally vulnerable to evil kernel level code.
Besides exploits for Windows are so frequent that they are not news. Unless they hit hundreds of thousands of exploits overnight it's just business as usual.