dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2240
PrntRhd
Premium Member
join:2004-11-03
Fairfield, CA

1 recommendation

PrntRhd

Premium Member

Nvidia driver exploit allows super user escalation

»arstechnica.com/security ··· ity-bug/

A new GeForce driver has been released that fixes the issue less than two weeks since the flaw came to light.

norwegian
Premium Member
join:2005-02-15
Outback

1 edit

norwegian

Premium Member

Maybe someone can explain more:

The proof-of-concept code allows attackers to create a super-user account on vulnerable systems that is added to a network's Administrator group, according to SecurityWeek.

The update service for Nvidia now has a user Updatus User
»www.nvidia.com/object/nv ··· ate.html
»forums.geforce.com/defau ··· suser-/1

Is this exploit creating a new user or just changing the already placed user with higher permissions?

Edit:
On second thoughts, it is a device driver after all. Permissions on the SOHO computer is already there, I've mis-understood the part of the super-user reference; that is relative to a hack over a network and an admin's computer controlling the network.

Either way, this seems serious enough I've let the admins know....however if they do their job correctly, they would be receiving emails or newsletters relative to this one I would think.

CovMac
Premium Member
join:2000-11-06
Covington, LA

CovMac to PrntRhd

Premium Member

to PrntRhd
Got it. Thanks!
psloss
Premium Member
join:2002-02-24

psloss to norwegian

Premium Member

to norwegian
said by norwegian:

Maybe someone can explain more:

The proof-of-concept code allows attackers to create a super-user account on vulnerable systems that is added to a network's Administrator group, according to SecurityWeek.

The update service for Nvidia now has a user Updatus User
»www.nvidia.com/object/nv ··· ate.html
»forums.geforce.com/defau ··· suser-/1

Is this exploit creating a new user or just changing the already placed user with higher permissions?

The proof of concept creates a new local account and adds it to the local Admins group (RID = 544); however, that's only one thing an attacker could do. The exploit exposes SYSTEM-level local privileges, which is probably what they mean by super-user (SYSTEM = S-1-5-18, analogous to 'root'). The SecurityWeek story quotes two of the ingredients: 1) service running as SYSTEM (kind of a default) and 2) service has a pipe open with a NULL DACL. Variations on this theme are still out there; as the story notes, this is a bigger threat in enterprise environments, given that elsewhere there's predominantly no need to elevate privileges.
said by norwegian:

Maybe someone can explain more:
Edit:
On second thoughts, it is a device driver after all. Permissions on the SOHO computer is already there, I've mis-understood the part of the super-user reference; that is relative to a hack over a network and an admin's computer controlling the network.

It's actually a service (user-mode) that communicates with the driver infrastructure, but that's neither here nor there.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member

said by psloss:

The proof of concept creates a new local account and adds it to the local Admins group (RID = 544); however, that's only one thing an attacker could do. The exploit exposes SYSTEM-level local privileges, which is probably what they mean by super-user (SYSTEM = S-1-5-18, analogous to 'root'). The SecurityWeek story quotes two of the ingredients: 1) service running as SYSTEM (kind of a default) and 2) service has a pipe open with a NULL DACL. Variations on this theme are still out there; as the story notes, this is a bigger threat in enterprise environments, given that elsewhere there's predominantly no need to elevate privileges.

This is quite interesting - what does Microsoft and it's 3rd party vendors do in regards to driver security?

Null DACL:
»msdn.microsoft.com/en-us ··· 85).aspx

The presence of a null discretionary access-control list (DACL) in the nTSecurityDescriptor attribute of any object can create a serious security risk. A null DACL grants full access to any user that requests it; normal security checking is not performed with respect to the object. A null DACL should not be confused with an empty DACL. An empty DACL is a properly allocated and initialized DACL containing no access-control entries (ACEs). An empty DACL grants no access to the object it is assigned to.
For more information, see Null DACLs and Empty DACLs.

How was that one missed?
norwegian

1 edit

norwegian to psloss

Premium Member

to psloss
I found this link quite interesting too in regards to security group policy and Null DACL's.

»blogs.technet.com/b/askd ··· acl.aspx

The problem with security processing occurs when the file or folder residing in the targeted folder contains a null DACL. Explicitly, this file or folder does not have any permissions. So Windows cannot determine how to propagate inherited permissions to the object because the object itself does not actually have permissions.

Also this seems a good article: (English)
»edc.tversu.ru/elib/inf/0 ··· t-2.html
psloss
Premium Member
join:2002-02-24

psloss to norwegian

Premium Member

to norwegian
said by norwegian:

This is quite interesting - what does Microsoft and it's 3rd party vendors do in regards to driver security?

It's not a driver security issue; this exploit can be accomplished from user mode without involving the drivers. (There's a slight disconnect with whoever wrote the SecurityWeek headline.)

kickass69
join:2002-06-03
Lake Hopatcong, NJ

kickass69

Member

Regardless, Nvidia should release an update for all it's graphics cards...not just ones it currently supports for security issues. People who have 7000 series graphics cards and older will continue to be vulnerable otherwise.

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

La Luna to PrntRhd

Premium Member

to PrntRhd
How do I know if I need this? I don't see my GPU in the list, but I ran the tool anyway. It doesn't tell me if I need this update.

About Your GPU

GeForce GTX260m

Your device supports
PhysX more > CUDA more >

Your device does not support
DirectX 11 more > 3D Vision more > SLI more >
Clock 500MHzMemory 1024MB
phxuser
join:2010-03-16
Scottsdale, AZ

1 edit

phxuser

Member

The security issue is with the Nvidia update service.

Correction: Vulnerability is Display Driver Service NVSvc

From the Nvidia website:
What is NVIDIA Update?
NVIDIA Update keeps your PC up-to-date with the latest NVIDIA drivers by notifying you when a new driver is available and directing you to the driver on www.nvidia.com. Starting with R275 drivers, NVIDIA Update also provides automatic updates for game and program profiles, including SLI profiles.

Which products are supported by NVIDIA Update?
NVIDIA Update provides notifications for GeForce and ION GPUs for both desktop and notebook PCs. Other NVIDIA GPUs are not supported at this time.

How do I get NVIDIA Update?
When you install a Release 270 or later GeForce/ION driver from www.nvidia.com, you will be presented with the option to install NVIDIA Update.
psloss
Premium Member
join:2002-02-24

psloss

Premium Member

said by phxuser:

The security issue is with the Nvidia update service.

That's a separate service (which also happens to NOT be running as SYSTEM). The display name of the service is "NVIDIA Driver Helper Service"; it's also referred to in the context of this story as "NVidia Display Driver Service". The service name itself is NVSvc.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to phxuser

Premium Member

to phxuser
nVidia Update Service doesn't work. It throws an error. Besides, why would anyone update nVidia driver when doing so trashes your color settings?

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

1 recommendation

Dustyn

Premium Member

said by Mele20:

nVidia Update Service doesn't work. It throws an error. Besides, why would anyone update nVidia driver when doing so trashes your color settings?

It trashes color settings?
Are you saying it does this for everyone who updates nVidia drivers, or just yourself?

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to PrntRhd

Premium Member

to PrntRhd
In related news:
AMD warns of security hole in its Catalyst Control Center. I have an older ATI GPU that doesn't have the Control Center.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to Dustyn

Premium Member

to Dustyn
I don't know if it happens to others or just me. I have 660 GTX card on Win 8 computer. The last nVidia driver update trashed my color settings. I was really surprised it did that. I used system restore to get back to the earlier version. I didn't really need that driver update as it was to improve certain games that I don't have. It was not a security update.
PrntRhd
Premium Member
join:2004-11-03
Fairfield, CA

PrntRhd to Mele20

Premium Member

to Mele20
said by Mele20:

nVidia Update Service doesn't work. It throws an error. Besides, why would anyone update nVidia driver when doing so trashes your color settings?

I updated my driver on this PC and it made the rendering improve. "Your mileage may vary".

norwegian
Premium Member
join:2005-02-15
Outback

1 edit

norwegian to psloss

Premium Member

to psloss
said by psloss:

said by norwegian:

This is quite interesting - what does Microsoft and it's 3rd party vendors do in regards to driver security?

It's not a driver security issue; this exploit can be accomplished from user mode without involving the drivers. (There's a slight disconnect with whoever wrote the SecurityWeek headline.)

I should not have mentioned driver either, thank you for pointing that out and clarifying it for the discussion.
said by psloss:

That's a separate service (which also happens to NOT be running as SYSTEM). The display name of the service is "NVIDIA Driver Helper Service"; it's also referred to in the context of this story as "NVidia Display Driver Service". The service name itself is NVSvc.

I believe this service can be safety turned off without adverse affects. I've quite often set it to disabled in the past, however recently I've let it run. Windows 7 doesn't seem to gain as much as XP did with service disabling to help on resources, memory (cheaper) etc.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus to Mele20

Premium Member

to Mele20
You need to learn to use the little buttons on your monitor to change the color, and brightness. You do that once, and then you never have to calibrate the monitor again anytime soon.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

No, that does not work. My monitor cannot be calibrated for digital vibrance nor for nVidia color settings except within nVidia. You don't seem to know much about nVidia cards. This is my third one on different computers on this monitor that has about 28,000 hours on it. lf nVidia cards they must have color settings done fom nVidia controls. IF I used on board graphics I could not get decent color because on board graphics does not have digital vibrance setting. NOTHING achieves that using the monitor controls. I didn't say the new nVidia driver screwed with brightness, contrast, etc. Those are the settings that I would use the monitor's buttons for. If you rely on the monitor settings you have garbage colors...no vibrancy. The reds are really off and most greens, but most men are color blind for green and red so they can't see the great differences and, thus, dismiss digital vibrance because of their genetic short coming.

Of course, without nVIEW nVidia card is not worth much anyway and there is no way to properly calibrate and have nVidia save all my Desktops without nView, I had no idea that now only professional nVidia card are worth a damn. There was zero point in my waiting fo six months for Dell to finally offer decent nVidia card for this computer. I could have simply gotten ATI 7870 and Windows 7.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus

Premium Member

All I hear is crying from you on this issue, and I knew you couldn't reply without mentioning nview again...

ashrc4
Premium Member
join:2009-02-06
australia

2 edits

ashrc4 to PrntRhd

Premium Member

to PrntRhd
FYI : Disable Built-in Administrator Account (super user)
»www.howtogeek.com/howto/ ··· s-vista/

First you need to enable the "One time" super user acc.
Set a password for it, then disable it.

Helps protect against some physical access issues.
Tuulilapsi
Kenosis
join:2002-07-29
Finland

Tuulilapsi to PrntRhd

Member

to PrntRhd
So basically this is yet another case of "we don't understand ACLs", this time from nVidia, eh? And here I was, hoping this kind of stuff was... well, stuff of the decade past.

Okay, so, what can all those folks with ancient nVidia cards, who are mortally afraid of updating their drivers lest the whole shebang crash and burn, do about this? I've got some people I know who are still using stuff like the geforce 7900 or what not. So the flaw is in the NVSvc service? Can that be just disabled to prevent exploiting the vulnerability? I don't even have an nVidia card on any of my rigs, so I can't well test if those cards can live without that service.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member


Disabling the service is fine. As I've mentioned I used to do it as part of my cleanup of XP services.