Nvidia Display Driver Service Attack Escalates Privileges On Windows Machines

L3sPau1 writes "A zero-day exploit has been found in the Nvidia Display Driver Service on Windows machines. An attacker with local access can use the exploit to gain root privileges on a Windows machine. Windows domains with relaxed firewall rules or file sharing enabled can also pull off the exploit, which was posted to Pastebin by researcher Peter Winter-Smith."

root access

[Anonymous Coward]

isn't the term root reserved for linux machines, isn't it called admin for windows?

Re:Easy solution

[k_187]

You mean the nVidia Omega drivers based on a version from 2007? Or the ones that the creator said a year ago he'd no longer be able to support?

Re:root access

[ais523]

Windows actually has two root-like permission levels, "administrator", and "SYSTEM" (which is higher and cannot be given to normal accounts). It might be interesting to know which the attack allows escalation to (although I think an attacker could do anything they cared about with only administrator-level permissions, they'd just have to do it a little indirectly).

NVIDIA privilege escalation exploit

[girlinatrainingbra]

The article says

enables an attacker to install a user on the target system, completely bypassing MicrosoftÃ(TM)s Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protections

I'm wondering if such a pipe system is used (or such a service is enabled) on the NVIDIA binary driver blob for the Linux kernel. Could that be another possible attack vector, or is that not possible with this?
.
NVIDIA for unix/Linux had another vulnerability earlier this year pointed out in the article at also at Nvidia's own customer web site http://nvidia.custhelp.com/app/answers/detail/a_id/3140 [custhelp.com] custhelp.com site for nvidia [custhelp.com] which showed that using VGA access to RAM allows indiscriminate access to RAM and possible escalation of user privileges with this memory access. Here's the comment from Dave Airlie at the email archive on seclists.org [seclists.org]:

It basically abuses the fact that the /dev/nvidia0 device accept changes to the VGA window and moves the window around until it can read/write to somewhere useful in physical RAM, then it just does an priv escalation by writing directly to kernel memory.

Notice how with binary blobs how end-users are screwed and dependent upon the provider of the blob to fix things. Nvidia didn't do anything until after public disclosure of the bug, even though they were notified of the exploit more than three months earlier.

Disable nvsvc32

[Anonymous Coward]

I believe there's no need to have the vulnerable nvsvc32.exe service running. It might break the NVIDIA control panel, but the driver should function properly with that service turned off. You could do that until a fixed version is available. The actual driver is named nvlddmkm.sys.

Mod him up, someone

[Anonymous Coward]

Was running with this service disabled for a long time and didn't notice any ill effects except for missing NV Control panel - switching it to Manual or Automatic makes it work again.

Services.msc management console calls it "NVidia Display Driver Service". Just try stopping it first, if you're doubting an AC's word, and check how everything runs for you, then switch it to Disabled.

Re:root access

[Bengie]

Ring 0 has to do with Kernel level, not user permissions.

"root" is like being an all-powerful dictator, Ring 0 is like being god and controlling the fabric of the Universe itself.

Re:Mod him up, someone

[Ash Vince]

Was running with this service disabled for a long time and didn't notice any ill effects except for missing NV Control panel - switching it to Manual or Automatic makes it work again.

Services.msc management console calls it "NVidia Display Driver Service". Just try stopping it first, if you're doubting an AC's word, and check how everything runs for you, then switch it to Disabled.

Just to second this from a real slashdot user :)

I disabled this as it was taking up valuable CPU time on my old gaming laptop. I never saw any ill effects at all. I am sure it must have some purpose but I never figured out what it was disabling it stopped me doing and I ran my PC like that for years.

Re:root access

[LordLimecat]

Once you get admin, you could trivially install a service with system-level access to elevate yourself further. This was easily done on XP, where you could set cmd.exe to run as an interactive service, which when started presented you with a System-level command prompt.

It can be done on Windows 7 as well, though I believe you can no longer just do it with cmd.exe.

Re:Easy solution

[Synerg1y]

You're 100% correct about the source code, he never had access, however he did package the modded driver into its own installer and omega is considered a 3rd party driver. Don't underestimate the registry either, all the driver settings / a lot of the config are stored there. Some of these tweaks led to increased stability in the past. I'd have to agree they're out of date, but a lot of the cards it supports aren't getting new drivers / improvements from nvidia anytime soon either. I thought I'd just throw this out there for those looking for something else to try, especially with all the invasiveness of newer nvidia drivers.

Re:root access

[dissy]

Grab psexec.exe from sysinternals, and as local admin simply run: psexec -i -s cmd.exe
You now have a command prompt window running as system cwd'd to the system32 dir.

Most windows domains will have psexec laying around somewhere anyways, or at least on servers. Easiest way to mass push remote commands to the workstations as domain admin.