Nvidia Display Driver Service Attack Escalates Privileges on Windows Machines

There’s nothing like a zero-day to ruin the holiday break, but that’s just what may be in store for engineers at Nvidia after a researcher discovered a new vulnerability in the Nvidia Display Driver Service. The flaw could hand over administrator privileges on Windows machines to an attacker.

NvidiaThere’s nothing like a zero-day to ruin the holiday break, but that’s just what may be in store for engineers at Nvidia after a researcher discovered a new vulnerability in the Nvidia Display Driver Service. The flaw could hand over administrator privileges on Windows machines to an attacker.

Peter Winter-Smith, formerly with the NGS Software of the U.K., posted details of the vulnerability and exploit to Pastebin. In it, he explains that the service is vulnerable to a stack buffer overflow that bypasses data execution prevention (DEP) and address space layout randomization (ASLR) running in the Windows operating system since Windows Vista.

“The service listens on a named pipe (pipensvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability,” Winter-Smith wrote on Pastebin. “The buffer overflow occurs as a result of a bad memmove operation.”

Winter-Smith told Threatpost the vulnerability is difficult to exploit because it mostly affects domain-based machine, and the machines in question would have to have relaxed firewall rules and need to be able to share files.

“In the local scenario in which an attacker attempts to gain increased privileges on a machine they already have access to, it would be very easy,” Winter-Smith said. “It’s not incredibly serious (compared to—say–a browser exploit). If it were going to put people at risk I’d not have released exploit code and I’d have informed the vendor and kept quiet until a fix were issued.”

Winter-Smith said an attacker could exploit the vulnerability in two ways: with local access they could escalate privileges to root giving them full control over the machine; or remotely against machines on the same Windows domain if the user running Nvidia has enabled file sharing from their machine or has disabled their firewall, remote access can be gained.

Memmove operations copy data from a source location to a memory destination. Winter-Smith said the service copies data unchecked; an attacker would be able to control the source location as well as the number of bytes copied into the response buffer; an attacker would be able to leak data from the stack by overflowing it.

“The memmove function copies data from one place in memory to another, and the fact that it was not properly used allowed me to both copy data critical to bypassing the Windows protections,” Winter-Smith said, “by copying private data in memory within the Nvidia service process into the data buffer that would be sent back to me, and trigger the vulnerability (by overwriting memory sufficient to give me full control over what the Nvidia service would try to do once the processing of my messages had completed).”

Nvidia, based in Santa Clara, Calif., builds graphics processing units for PCs, mobile and embedded devices, as well as other processing applications for high-performance computing systems. Nvidia competes with Intel, AMD and Qualcomm in these markets. The nvsvc32.exe service in question here runs automatically on any Windows machine running a Nvidia GPU.

Winter-Smith said he wanted to share the exploit in a timely fashion, rather than report it.

“I am definitely not averse to responsible disclosure and typically do follow a responsible disclosure process, however the risk from this particular flaw being exploited was (is) sufficiently low that I didn’t think it would warrant the wait,” he said.

Suggested articles

intel graphics driver flaw

Bypassing ASLR in 60 Milliseconds

An academic paper demonstrates a new ASLR bypass executed through a side-channel attack against the branch target buffer in an Intel Haswell CPU.

Discussion

  • Devin on

    I see that the exploit has been taken down. I really hope this was actually reported to Nvidia, as if tied to a web utilized runtime such as Java it has far greater abuse potential than it’s been given credit. Most successful attacks come through third party programs these days, so trivializing it is highly disingenuous.

     

  • Anonymous on

    just disable the service? in my experience disabling the service prevents access to the nvidia control panel by right clicking on the desktop. but it is still accessible in the control panel. i usually disable it to tone down on the bloatware anyway.

  • Anonymous on

    I have nivdia graphics.  Should I be concerned?  Is there something I should do?  Will mallwarebytes pick up this threat?  I am asking because although none of my scans show threats, my computer is running slow.  For example when I try to go from one page to another it takes forever to get to the page if sometimes at all. When I use chrome I notice that it says waiting for cache. Also, my cpu usage sometimes goes to 90% or more even if I am not doing anything, but reading, and my hd seems to be running at top speed.  I keep my computer clean of temp files, junk files, etc, and run scans constantly. Also there are allot of locked files. Could all of this be due to the flaw in Nvidia?  My hard drive is brand new, and I also just had an installation of win 7 professional.  I am using a 64 bit os.  Please let me know if there is something I can do to see if I have this Nvidia threat.  Thank-You

  • AtomicBitch on

    Agree simple solution disable the service and perform manual Updates. Also Delete the Given Account nVidia Creates in ~UsersUpdateStatusUser - This is an Account go figure in why on earth does nVidia Require Account position on ones computer anyways. This opens another whole mess of issues regardless of this one service mentioned Attack and vulnerability. If an account exists - we're missing the normal SysAdministration of ones Computer - Client or Server. An account means access. Who what does not matter, it is an account on " A " machine. This too should be slapped to nVidia's accountability. What on earth are they thinking. And why has this not ever been address neither!
  • Anonymous on

    Not much of a problem for home users, but what about enterprise users?

    Most users have file sharing enabled and the domain firewall turned off for custom applications and services. Any tech savvy user inside the environment could hijack the pc. Doesn't seem that low risk to me.

  • Attaigils on

    . . .

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.