Nvidia Zero Day Eliminated

Wednesday, January 9, 2013 @ 06:01 PM gHale


Nvidia cleared up a Zero Day after officials released a new driver for its graphics cards that includes a security update in the Nvidia Display Driver Service that came to light on Christmas day.

UK researcher Peter Winter-Smith posted vulnerability details and an exploit to Pastebin describing a stack buffer overflow vulnerability in the service, as well as his exploit, which bypassed DEP and ASLR on Windows machines.

RELATED STORIES
NVIDIA Closes Hole in Unix Driver
Researchers Bypass Microsoft IE Fix
More Victims in IE Zero Day
Apache Malware Installs Zeus

Winter-Smith said the issue was not severe given the conditions under which an attacker would have to carry out the exploit.

“I have had a quick look at the patch and it does indeed appear to address the issue and it does so by entirely removing the endpoint over which the vulnerability could be exploited (the listening named pipe instance),” Winter-Smith said. “So for this particular Nvidia service, this issue should have been completely addressed. If there were other similar weaknesses within the service which could be exploited in the same fashion, these should have also been addressed by the fix.”

An attacker would only be able to successfully exploit the vulnerability if he or she was on a machine in the same domain and firewall rules were severely relaxed, or file sharing turned on. With local access, an attacker could elevate their privileges to root, or if the above conditions were met, could gain remote access from the same domain.

“The service listens on a named pipe (\pipe\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability,” Winter-Smith wrote on Pastebin. The details and exploit have since deleted from his Pastebin post. “The buffer overflow occurs as a result of a bad memmove operation.”

Memmove operations copy data from a source location to a memory destination. Winter-Smith said the service copies data unchecked; an attacker would be able to control the source location as well as the number of bytes copied into the response buffer; an attacker would be able to leak data from the stack by overflowing it.



Leave a Reply

You must be logged in to post a comment.