Forgot your password?
typodupeerror
Security

+ - Researcher Unwraps Dangerous NVIDIA Driver Exploit-> 2

Submitted by wiredmikey
wiredmikey (1824622) writes "A security researcher from the U.K. exposed an interesting and dangerous exploit for the NVIDIA Display Driver Service on Christmas Day, which enables an attacker to install a user on the target system, completely bypassing DEP and ASLR protections.

The primary focus to the bug is information leakage, which allows stack cookies to be bypassed. From there, the proof-of-concept code released with the vulnerability’s disclosure enables an attacker to create a super user account on the targeted system for remote access. In the example published by Peter Winter-Smith, a simple Metasploit module was used to create the user r00t, and add it to the Administrators group. "The service listens on a named pipe (\pipe\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability,” Winter-Smith explained in his disclosure note.

While there are mitigations that will prevent this exploit from being widely targeted, it’s still a valid platform of attack; one that works with the latest drivers on systems running Windows 7."

Link to Original Source
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Researcher Unwraps Dangerous NVIDIA Driver Exploit

Comments Filter:
  • The article says
    enables an attacker to install a user on the target system, completely bypassing Microsoftâ(TM)s Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protections

    I'm wondering if such a pipe system is used (or such a service is enabled) on the NVIDIA binary driver blob for the Linux kernel. Could that be another possible attack vector, or is that not possible with this?
    .
    NVIDIA for unix/Linux had another vulnerability earlier this year pointed out in the articl

    • by Carnildo (712617)

      I don't know if such a pipe system is used or not, but if it is, the impact won't be anywhere near as severe. Linux pipes can only be accessed from the local system, while the type of Windows pipe the drivers use can be accessed by anyone in the same Windows network domain as the target computer.

No amount of careful planning will ever replace dumb luck.

Working...