RegisterHomeNewsForumsArticlesDownloadsSearchContact usChat
Already a member? Sign in.

[ Home / Forums / News ]  
Critical Security Vulnerability Discovered in Nvidia ForceWare
Old 26 December 2012, 12:39   #1
Site Staff

Posts: 12,553
CPU: Intel Xeon W3680
GPU: Nvidia GeForce GTX 970
RAM: 3x4GB G.Skill Ares
PSU: Seasonic S12G-750
A freelance security consultant by the name of Peter Winter-Smith has discovered a stack buffer overflow in Nvidia's drivers that could allow an unauthenticated remote attacker to compromise your system and gain control over it.

"Here is an interesting exploit for a stack buffer overflow in the Nvidia Display Driver Service. The service listens on a named pipe (\pipe\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability.

The buffer overflow occurs as a result of a bad memmove operation, with the stack layout effectively looking like this:

[stack cookie]
[return address]
[arg space]

The memmove copies data from the received-data buffer into the response-buf buffer, unchecked. It is possible to control the offset from which the copy starts in the received-data buffer by embedding a variable length string - which forms part of the protocol message being crafted - as well as the number of bytes copied into the response buffer.

The amount of data sent back over the named pipe is related to the number of bytes copied rather than the maximum number of bytes that the buffer is able to safely contain, so it is possible to leak stack data by copying from the end of the received-data buffer, through the response-buf buffer (which is zeroed first time round, and second time round contains whatever was in it beforehand), right to the end of the stack frame (including stack cookie and return address).

As the entire block of data copied is sent back, the stack cookie and nvvsvc.exe base can be determined using the aforementioned process. The stack is then trashed, but the function servicing pipe messages won't return until the final message has been received, so it doesn't matter too much.

It is then possible to exploit the bug by sending two further packets of data: One containing the leaked stack cookie and a ROP chain dynamically generated using offsets from the leaked nvvsvc.exe base (which simply fills the response-buf buffer when this data is echoed back) and a second packet which contains enough data to trigger an overwrite if data is copied from the start of the received-data buffer into the response-buf (including the data we primed the latter to contain - stack cookie and ROP chain).

Allowing the function to then return leads to execution of our ROP chain, and our strategically placed Metasploit net user /add shellcode! We get continuation of execution for free because the process spins up a thread to handle each new connection, and there are no deadlocks etc.

I've included two ROP chains, one which works against the nvvsvc.exe running by default on my Win7/x64 Dell XPS 15/ Nvidia GT540M with drivers from the Dell site, and one which works against the latest version of the drivers for the same card from Nvidia."

Update: Nvidia has released ForceWare 310.90 WHQL which solves this issue.

Last edited by Regeneration; 6 January 2013 at 03:18..
Regeneration is online now  
Reply With Quote
Old 27 December 2012, 04:44   #2
Golden Member

Posts: 789
CPU: i7 6700K OC @ 4.9 Ghz
RAM: 16GB Corsair DDR4 2666
PSU: Corsair TX850M
Nvidia has problems too? Say it ain't so!
Thunder350 is offline   Reply With Quote
Old 28 December 2012, 02:27   #3
Destroyer of Worlds.

Posts: 653
CPU: i7 4790k
GPU: GTX 760
RAM: 16gb DDR3-3200
PSU: Corsair 1000HX
Send a message via AIM to darthcyclonis
Originally Posted by Thunder350 View Post
Nvidia has problems too? Say it ain't so!
Ikr. But this hole would take a lot to get though.
Destroyer of Worlds.
darthcyclonis is offline   Reply With Quote

Thread Tools
Rate This Thread
Rate This Thread:

driver, forceware, hacking, nvidia, software

All times displayed in UTC
Powered by vBulletin from vBulletin Solutions, Inc.

User Agent   Copyright 2014 - All Rights Reserved   Disclaimer