Privilege escalation security hole found in Nvidia Linux driver

Privilege escalation security hole found in Nvidia Linux driver

Summary: A new security hole has been discovered in Nvidia's Linux driver. Nvidia has allegedly known about the vulnerability for more than a month but has yet to fix it.

SHARE:
TOPICS: Security, Hardware, Linux
26
Privilege escalation security hole found in Nvidia Linux driver

An anonymous hacker has found a security hole in the Nvidia binary. He or she allegedly reported it to Nvidia "over a month ago" and did not receive a reply, nor was the flaw ever patched. The exploit has now been made public.

Software Engineer Dave Airlie was sent details of the vulnerability. After testing it out and discovering that it indeed works, he posted the exploit for everyone to see over at the mailing list full-disclosure@lists.grok.org.uk.

The flaw essentially allows an attacker to write to any part of memory on the system by shifting the VGA window after attaining superuser privileges. For reference, here's the full text of Airlie's disclosure:

First up I didn't write this but I have executed it and it did work here,

I was given this anonymously, it has been sent to nvidia over a month ago with no reply or advisory and the original author wishes to remain anonymous but would like to have the exploit published at this time, so I said I'd post it for them.

It basically abuses the fact that the /dev/nvidia0 device accept changes to the VGA window and moves the window around until it can read/write to somewhere useful in physical RAM, then it just does an priv escalation by writing directly to kernel memory.

Dave.

I have contacted Nvidia about this security hole. I have also contacted Airlie for any more information he may be willing to provide. I will update you if and when I hear back.

Update at 4:30 PM PST - "I work for Red Hat in the graphics team, and we reported the issue via nvidia security channels in mid June with no response," Airlie told me. "The original author then asked that I send it to full-disclosure if we heard nothing back in a month."

See also:

Topics: Security, Hardware, Linux

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • Ouch

    If this driver were open source it would most likely have been patched by now.
    Divergex
    • ** FIXED **

      "NVIDIA UNIX graphics driver exploit advisory.
      "Answer ID 3140
      "Published 08/02/2012 02:03 PM
      "Updated 08/06/2012 12:26 PM
      http://nvidia.custhelp.com/app/answers/detail/a_id/3140
      Rabid Howler Monkey
  • Reported over a month ago? Take that Linus T.

    Warm (actually, lukewarm) regards,

    Nvidia

    P.S. We won't forget the F*bomb.
    Rabid Howler Monkey
    • If there is one good thing here

      This only affects desktop / laptop Linux computers with NVidia graphics. In other words, this affects about 3 people.
      toddbottom3
      • And coming from a so-called 'expert' like you...

        ...you're one of the three, right?
        CaviarBlack
    • Wow, 2 flags

      The F*bomb Linus T. tossed at Nvidia approx. a month and a half ago was not, exactly, a good public relations move.
      Rabid Howler Monkey
  • Privilege escalation security hole found in Nvidia Linux driver

    Remember what I was saying about linux being insecure and drivers? This is like a 2 in 1. Now I can laugh at you all. HAHAHAHA!
    Loverock Davidson-
    • I laugh at you all the time

      Your mommy told me to stop. I told her I would if she bends over.

      She hasn't yet, but soon. :)
      CaviarBlack
    • I'm still amazed

      #1. Your working after 5pm (pst).. I thought MS sent the astro turfers home by now.
      #2. Your still trolling but neglected to show proof regarding a post you did earlier regarding companies reading email.. So like normal you have no proof to support your claims..

      This is a act of a 3rd party module/driver from a company that hooks into the kernel.. Just like the trojan that had a ms signed cert to install into the system w/o questions.. At least a user would have to drop to console, and give a admin password then install the driver.
      Anthony E
  • But reputations were staked on this not being possible

    Quite the punch to the gut.
    toddbottom3
  • nvidia

    Patch your software.
    daikon
    • Linux

      Be a more secure OS
      toddbottom3
      • blah blah blah blah....

        Again you started your babbling about security in Linux? Last time you were confused by virus and malware now this! You don't know sh* about security man go troll for another subject!
        L3thargic
        • What you wrote vs what I read

          waaaaa waaaaa

          waaaa waaaa waaaa

          *mommy* waaaa waaaa waaaa
          toddbottom3
          • you poor fellow !

            that's bcz you are so tiny winy and can't understand adults ^^
            L3thargic
          • He stoped lying about his imaginary iPad a while back

            He knew everybody started believing it was bullshit so this is his new tact.

            Right, todd's bottom?
            CaviarBlack
        • You can't go off his statments..

          He don't know what the difference is between a trojan and a virus.. He probably got hit by win 7 security and the people at bestBuy informed him about his "viruses".
          Anthony E
      • This does beg the question

        Did Software Engineer Dave Airlie have Linux Security Modules (LSM) enabled when testing the exploit?
        Rabid Howler Monkey
        • Does Emma Smith of Conway Arkansas?

          If an OS in its default configuration can't protect its users, it is a security fail.

          Or have the rules changed since last time you guys wrote them?
          toddbottom3
          • Yet again, you entirely miss the point

            We were told that Linux with LSM is immune to 0-days.
            Rabid Howler Monkey