An anonymous hacker has found a security hole in the Nvidia binary. He or she allegedly reported it to Nvidia "over a month ago" and did not receive a reply, nor was the flaw ever patched. The exploit has now been made public.
Software Engineer Dave Airlie was sent details of the vulnerability. After testing it out and discovering that it indeed works, he posted the exploit for everyone to see over at the mailing list firstname.lastname@example.org.
The flaw essentially allows an attacker to write to any part of memory on the system by shifting the VGA window after attaining superuser privileges. For reference, here's the full text of Airlie's disclosure:
First up I didn't write this but I have executed it and it did work here,
I was given this anonymously, it has been sent to nvidia over a month ago with no reply or advisory and the original author wishes to remain anonymous but would like to have the exploit published at this time, so I said I'd post it for them.
It basically abuses the fact that the /dev/nvidia0 device accept changes to the VGA window and moves the window around until it can read/write to somewhere useful in physical RAM, then it just does an priv escalation by writing directly to kernel memory.
I have contacted Nvidia about this security hole. I have also contacted Airlie for any more information he may be willing to provide. I will update you if and when I hear back.
Update at 4:30 PM PST - "I work for Red Hat in the graphics team, and we reported the issue via nvidia security channels in mid June with no response," Airlie told me. "The original author then asked that I send it to full-disclosure if we heard nothing back in a month."