Privilege escalation security hole found in Nvidia Linux driver
Summary: A new security hole has been discovered in Nvidia's Linux driver. Nvidia has allegedly known about the vulnerability for more than a month but has yet to fix it.
An anonymous hacker has found a security hole in the Nvidia binary. He or she allegedly reported it to Nvidia "over a month ago" and did not receive a reply, nor was the flaw ever patched. The exploit has now been made public.
Software Engineer Dave Airlie was sent details of the vulnerability. After testing it out and discovering that it indeed works, he posted the exploit for everyone to see over at the mailing list full-disclosure@lists.grok.org.uk.
The flaw essentially allows an attacker to write to any part of memory on the system by shifting the VGA window after attaining superuser privileges. For reference, here's the full text of Airlie's disclosure:
First up I didn't write this but I have executed it and it did work here,
I was given this anonymously, it has been sent to nvidia over a month ago with no reply or advisory and the original author wishes to remain anonymous but would like to have the exploit published at this time, so I said I'd post it for them.
It basically abuses the fact that the /dev/nvidia0 device accept changes to the VGA window and moves the window around until it can read/write to somewhere useful in physical RAM, then it just does an priv escalation by writing directly to kernel memory.
Dave.
I have contacted Nvidia about this security hole. I have also contacted Airlie for any more information he may be willing to provide. I will update you if and when I hear back.
Update at 4:30 PM PST - "I work for Red Hat in the graphics team, and we reported the issue via nvidia security channels in mid June with no response," Airlie told me. "The original author then asked that I send it to full-disclosure if we heard nothing back in a month."
See also:
- Nvidia confirms hackers swiped up to 400,000 user accounts
- Apple iOS in-app purchases hacked; everything is free (video)
- Android Forums hacked: 1 million user credentials stolen
- Yahoo fixes flaw behind 450,000 account hack
- Yahoo confirms 400,000 accounts hacked, less than 5% valid
- The top 10 passwords from the Yahoo hack: Is yours one of them?
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Ouch
** FIXED **
"Answer ID 3140
"Published 08/02/2012 02:03 PM
"Updated 08/06/2012 12:26 PM
http://nvidia.custhelp.com/app/answers/detail/a_id/3140
Reported over a month ago? Take that Linus T.
Nvidia
P.S. We won't forget the F*bomb.
If there is one good thing here
And coming from a so-called 'expert' like you...
Wow, 2 flags
Privilege escalation security hole found in Nvidia Linux driver
I laugh at you all the time
She hasn't yet, but soon. :)
I'm still amazed
#2. Your still trolling but neglected to show proof regarding a post you did earlier regarding companies reading email.. So like normal you have no proof to support your claims..
This is a act of a 3rd party module/driver from a company that hooks into the kernel.. Just like the trojan that had a ms signed cert to install into the system w/o questions.. At least a user would have to drop to console, and give a admin password then install the driver.
But reputations were staked on this not being possible
nvidia
Linux
blah blah blah blah....
What you wrote vs what I read
waaaa waaaa waaaa
*mommy* waaaa waaaa waaaa
you poor fellow !
He stoped lying about his imaginary iPad a while back
Right, todd's bottom?
You can't go off his statments..
This does beg the question
Does Emma Smith of Conway Arkansas?
Or have the rules changed since last time you guys wrote them?
Yet again, you entirely miss the point