There’s nothing like a zero-day to ruin the holiday break, but that’s just what may be in store for engineers at Nvidia after a researcher discovered a new vulnerability in the Nvidia Display Driver Service. The flaw could hand over administrator privileges on Windows machines to an attacker.
Peter Winter-Smith, formerly with the NGS Software of the U.K., posted details of the vulnerability and exploit to Pastebin. In it, he explains that the service is vulnerable to a stack buffer overflow that bypasses data execution prevention (DEP) and address space layout randomization (ASLR) running in the Windows operating system since Windows Vista.
“The service listens on a named pipe (pipensvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability,” Winter-Smith wrote on Pastebin. “The buffer overflow occurs as a result of a bad memmove operation.”
Winter-Smith told Threatpost the vulnerability is difficult to exploit because it mostly affects domain-based machine, and the machines in question would have to have relaxed firewall rules and need to be able to share files.
“In the local scenario in which an attacker attempts to gain increased privileges on a machine they already have access to, it would be very easy,” Winter-Smith said. “It’s not incredibly serious (compared to—say–a browser exploit). If it were going to put people at risk I’d not have released exploit code and I’d have informed the vendor and kept quiet until a fix were issued.”
Winter-Smith said an attacker could exploit the vulnerability in two ways: with local access they could escalate privileges to root giving them full control over the machine; or remotely against machines on the same Windows domain if the user running Nvidia has enabled file sharing from their machine or has disabled their firewall, remote access can be gained.
Memmove operations copy data from a source location to a memory destination. Winter-Smith said the service copies data unchecked; an attacker would be able to control the source location as well as the number of bytes copied into the response buffer; an attacker would be able to leak data from the stack by overflowing it.
“The memmove function copies data from one place in memory to another, and the fact that it was not properly used allowed me to both copy data critical to bypassing the Windows protections,” Winter-Smith said, “by copying private data in memory within the Nvidia service process into the data buffer that would be sent back to me, and trigger the vulnerability (by overwriting memory sufficient to give me full control over what the Nvidia service would try to do once the processing of my messages had completed).”
Nvidia, based in Santa Clara, Calif., builds graphics processing units for PCs, mobile and embedded devices, as well as other processing applications for high-performance computing systems. Nvidia competes with Intel, AMD and Qualcomm in these markets. The nvsvc32.exe service in question here runs automatically on any Windows machine running a Nvidia GPU.
Winter-Smith said he wanted to share the exploit in a timely fashion, rather than report it.
“I am definitely not averse to responsible disclosure and typically do follow a responsible disclosure process, however the risk from this particular flaw being exploited was (is) sufficiently low that I didn’t think it would warrant the wait,” he said.
I see that the exploit has been taken down. I really hope this was actually reported to Nvidia, as if tied to a web utilized runtime such as Java it has far greater abuse potential than it’s been given credit. Most successful attacks come through third party programs these days, so trivializing it is highly disingenuous.
just disable the service? in my experience disabling the service prevents access to the nvidia control panel by right clicking on the desktop. but it is still accessible in the control panel. i usually disable it to tone down on the bloatware anyway.
I have nivdia graphics. Should I be concerned? Is there something I should do? Will mallwarebytes pick up this threat? I am asking because although none of my scans show threats, my computer is running slow. For example when I try to go from one page to another it takes forever to get to the page if sometimes at all. When I use chrome I notice that it says waiting for cache. Also, my cpu usage sometimes goes to 90% or more even if I am not doing anything, but reading, and my hd seems to be running at top speed. I keep my computer clean of temp files, junk files, etc, and run scans constantly. Also there are allot of locked files. Could all of this be due to the flaw in Nvidia? My hard drive is brand new, and I also just had an installation of win 7 professional. I am using a 64 bit os. Please let me know if there is something I can do to see if I have this Nvidia threat. Thank-You
Agree simple solution disable the service and perform manual Updates. Also Delete the Given Account nVidia Creates in ~UsersUpdateStatusUser – This is an Account go figure in why on earth does nVidia Require Account position on ones computer anyways. This opens another whole mess of issues regardless of this one service mentioned Attack and vulnerability. If an account exists – we’re missing the normal SysAdministration of ones Computer – Client or Server. An account means access. Who what does not matter, it is an account on ” A ” machine. This too should be slapped to nVidia’s accountability. What on earth are they thinking. And why has this not ever been address neither!
Not much of a problem for home users, but what about enterprise users?
Most users have file sharing enabled and the domain firewall turned off for custom applications and services. Any tech savvy user inside the environment could hijack the pc. Doesn’t seem that low risk to me.
. . .
You only need to be concerned if you have file sharing enabled and no firewall protection at all.
The solution you describe has nothing to do with this exploit. The exploit is for the NVidia display driver service, not the NVidia update service. Disabling the update service will not prevent this exploit from happening.
They were using the *NIX thinking. Only give enough privileges for the service to perform the actions it needs to do. Windows however gives all services the same (admin level) access running under the SYSTEM account (the *NIX equivalent of root). Some services are allowed to run under LOCAL SERVICE or NETWORK SERVICE, which I presume offer less privileges, but not to the fine grained scale that can be achieved with unique user accounts for each service as has been used for decades under *NIX. The privileges granted for the Updatus user may possibly (I haven’t checked) deny remote and local console login to help reduce the potential for the account to become compromised.