[SECURITY EXPLOIT] NVIDIA Linux Driver Hack Gives You Root Access?

Bug #1032344 reported by AG Restringere on 2012-08-02
40
This bug affects 8 people
Affects Status Importance Assigned to Milestone
NVIDIA Drivers Ubuntu
Undecided
Unassigned
nvidia-graphics-drivers-updates (Ubuntu)
Undecided
Unassigned

Bug Description

Apparently there is a security vulnerability with the current Nvidia Drivers that gives the attacker ROOT access?

Attack vunlerability description: http://permalink.gmane.org/gmane.comp.security.full-disclosure/86747

Sample attack code: http://cache.gmane.org//gmane/comp/security/full-disclosure/86747-001.bin

Excerpt from Phoronix article:

Link: http://www.phoronix.com/scan.php?page=news_item&px=MTE1MTk

"David Airlie published this NVIDIA hack today to a mailing list (the exploit is attached there as a single C file). Airlie isn't the original author of this hack but rather the code was passed onto him by an anonymous user(s). The code was forwarded to NVIDIA Corp more than one month ago, but the official NVIDIA Linux proprietary driver developers have yet to act on the vulnerability. As a result, it was decided to release this to the public. Now maybe NVIDIA will take care of it since this 760 lines of C code can provide root access to a system running the NVIDIA binary blob.
First up I didn't write this but I have executed it and it did work here,

I was given this anonymously, it has been sent to nvidia over a month ago with no reply or advisory and the original author wishes to remain anonymous but would like to have the exploit published at this time, so I said I'd post it for them.

It basically abuses the fact that the /dev/nvidia0 device accept changes to the VGA window and moves the window around until it can read/write to somewhere useful in physical RAM, then it just does an priv escalation by writing directly to kernel memory."

Questions:

1. Which Nvidia Proprietary driver versions does this affect?

2. Should we update to a specific version to avoid this?

3. Are Nvidia 295.49 x86_64 or i386 drivers safe?

4. Is Ubuntu 12.04 LTS 3.2.0-27-generic #43-Ubuntu immune from this?

5. Can you go upstream and contact Nvidia about this and get a fix issued?

tags: added: security
tags: added: verification-needed
removed: security
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nvidia-graphics-drivers-updates (Ubuntu):
status: New → Confirmed
Boaz Dodin (bdcomp) wrote :

NVIDIA UNIX graphics driver exploit advisory:
http://nvidia.custhelp.com/app/answers/detail/a_id/3140

Boaz, just saw this, waiting for Ubuntu and Canonical to finally make 303.32 the DEFAULT Nvidia-current binary and they are still lagging behind with the 295.xx series and X-swat is still pushing the tainted 302.xx series so waiting for them to do this to resolve this bug...

Norbert (asterix52) wrote :

They added the fix for the 302.17.

Format: 1.8
Date: Sat, 04 Aug 2012 17:57:46 -0400
Source: nvidia-graphics-drivers
Binary: nvidia-current nvidia-current-dev
Architecture: source
Version: 302.17-0ubuntu1~precise~xup2
Distribution: precise
Urgency: low
Maintainer: Ubuntu Core Developers <email address hidden>
Changed-By: Brandon Snider <email address hidden>
Description:
 nvidia-current - NVIDIA binary Xorg driver, kernel module and VDPAU library
 nvidia-current-dev - NVIDIA binary Xorg driver development files
Changes:
 nvidia-graphics-drivers (302.17-0ubuntu1~precise~xup2) precise; urgency=low
 .
   * Added nvidia-blacklist-vga-pmu-registers-256-304.diff to fix security hole.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions