Nvidia Display Driver Service Attack Escalates Privileges on Windows Machines

There’s nothing like a zero-day to ruin the holiday break, but that’s just what may be in store for engineers at Nvidia after a researcher discovered a new vulnerability in the Nvidia Display Driver Service. The flaw could hand over administrator privileges on Windows machines to an attacker.

NvidiaThere’s nothing like a zero-day to ruin the holiday break, but that’s just what may be in store for engineers at Nvidia after a researcher discovered a new vulnerability in the Nvidia Display Driver Service. The flaw could hand over administrator privileges on Windows machines to an attacker.

Peter Winter-Smith, formerly with the NGS Software of the U.K., posted details of the vulnerability and exploit to Pastebin. In it, he explains that the service is vulnerable to a stack buffer overflow that bypasses data execution prevention (DEP) and address space layout randomization (ASLR) running in the Windows operating system since Windows Vista.

“The service listens on a named pipe (pipensvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability,” Winter-Smith wrote on Pastebin. “The buffer overflow occurs as a result of a bad memmove operation.”

Winter-Smith told Threatpost the vulnerability is difficult to exploit because it mostly affects domain-based machine, and the machines in question would have to have relaxed firewall rules and need to be able to share files.

“In the local scenario in which an attacker attempts to gain increased privileges on a machine they already have access to, it would be very easy,” Winter-Smith said. “It’s not incredibly serious (compared to—say–a browser exploit). If it were going to put people at risk I’d not have released exploit code and I’d have informed the vendor and kept quiet until a fix were issued.”

Winter-Smith said an attacker could exploit the vulnerability in two ways: with local access they could escalate privileges to root giving them full control over the machine; or remotely against machines on the same Windows domain if the user running Nvidia has enabled file sharing from their machine or has disabled their firewall, remote access can be gained.

Memmove operations copy data from a source location to a memory destination. Winter-Smith said the service copies data unchecked; an attacker would be able to control the source location as well as the number of bytes copied into the response buffer; an attacker would be able to leak data from the stack by overflowing it.

“The memmove function copies data from one place in memory to another, and the fact that it was not properly used allowed me to both copy data critical to bypassing the Windows protections,” Winter-Smith said, “by copying private data in memory within the Nvidia service process into the data buffer that would be sent back to me, and trigger the vulnerability (by overwriting memory sufficient to give me full control over what the Nvidia service would try to do once the processing of my messages had completed).”

Nvidia, based in Santa Clara, Calif., builds graphics processing units for PCs, mobile and embedded devices, as well as other processing applications for high-performance computing systems. Nvidia competes with Intel, AMD and Qualcomm in these markets. The nvsvc32.exe service in question here runs automatically on any Windows machine running a Nvidia GPU.

Winter-Smith said he wanted to share the exploit in a timely fashion, rather than report it.

“I am definitely not averse to responsible disclosure and typically do follow a responsible disclosure process, however the risk from this particular flaw being exploited was (is) sufficiently low that I didn’t think it would warrant the wait,” he said.

Suggested articles

intel graphics driver flaw

Bypassing ASLR in 60 Milliseconds

An academic paper demonstrates a new ASLR bypass executed through a side-channel attack against the branch target buffer in an Intel Haswell CPU.

Cybersecurity for your growing business
Cybersecurity for your growing business