A freelance security consultant by the name of Peter Winter-Smith has discovered a stack buffer overflow in Nvidia's drivers that could allow an unauthenticated remote attacker to compromise your system and gain control over it.
"Here is an interesting exploit for a stack buffer overflow in the Nvidia Display Driver Service. The service listens on a named pipe (\pipe\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability.
The buffer overflow occurs as a result of a bad memmove operation, with the stack layout effectively looking like this:
The memmove copies data from the received-data buffer into the response-buf buffer, unchecked. It is possible to control the offset from which the copy starts in the received-data buffer by embedding a variable length string - which forms part of the protocol message being crafted - as well as the number of bytes copied into the response buffer.
The amount of data sent back over the named pipe is related to the number of bytes copied rather than the maximum number of bytes that the buffer is able to safely contain, so it is possible to leak stack data by copying from the end of the received-data buffer, through the response-buf buffer (which is zeroed first time round, and second time round contains whatever was in it beforehand), right to the end of the stack frame (including stack cookie and return address).
As the entire block of data copied is sent back, the stack cookie and nvvsvc.exe base can be determined using the aforementioned process. The stack is then trashed, but the function servicing pipe messages won't return until the final message has been received, so it doesn't matter too much.
It is then possible to exploit the bug by sending two further packets of data: One containing the leaked stack cookie and a ROP chain dynamically generated using offsets from the leaked nvvsvc.exe base (which simply fills the response-buf buffer when this data is echoed back) and a second packet which contains enough data to trigger an overwrite if data is copied from the start of the received-data buffer into the response-buf (including the data we primed the latter to contain - stack cookie and ROP chain).
Allowing the function to then return leads to execution of our ROP chain, and our strategically placed Metasploit net user /add shellcode! We get continuation of execution for free because the process spins up a thread to handle each new connection, and there are no deadlocks etc.
I've included two ROP chains, one which works against the nvvsvc.exe running by default on my Win7/x64 Dell XPS 15/ Nvidia GT540M with drivers from the Dell site, and one which works against the latest version of the drivers for the same card from Nvidia." Update:
Nvidia has released ForceWare 310.90 WHQL
which solves this issue.