dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2031
share rss forum feed

PrntRhd
Premium
join:2004-11-03
Fairfield, CA
Reviews:
·Comcast

1 recommendation

Nvidia driver exploit allows super user escalation

»arstechnica.com/security/2013/01···ity-bug/

A new GeForce driver has been released that fixes the issue less than two weeks since the flaw came to light.



norwegian
Premium
join:2005-02-15
Outback

1 edit

Maybe someone can explain more:

The proof-of-concept code allows attackers to create a super-user account on vulnerable systems that is added to a network's Administrator group, according to SecurityWeek.

The update service for Nvidia now has a user Updatus User
»www.nvidia.com/object/nvidia-update.html
»forums.geforce.com/default/topic···suser-/1

Is this exploit creating a new user or just changing the already placed user with higher permissions?

Edit:
On second thoughts, it is a device driver after all. Permissions on the SOHO computer is already there, I've mis-understood the part of the super-user reference; that is relative to a hack over a network and an admin's computer controlling the network.

Either way, this seems serious enough I've let the admins know....however if they do their job correctly, they would be receiving emails or newsletters relative to this one I would think.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



CovMac
Premium
join:2000-11-06
Covington, LA
reply to PrntRhd

Got it. Thanks!
--
Mac


psloss
Premium
join:2002-02-24
Lebanon, KS
reply to norwegian

said by norwegian:

Maybe someone can explain more:

The proof-of-concept code allows attackers to create a super-user account on vulnerable systems that is added to a network's Administrator group, according to SecurityWeek.

The update service for Nvidia now has a user Updatus User
»www.nvidia.com/object/nvidia-update.html
»forums.geforce.com/default/topic···suser-/1

Is this exploit creating a new user or just changing the already placed user with higher permissions?

The proof of concept creates a new local account and adds it to the local Admins group (RID = 544); however, that's only one thing an attacker could do. The exploit exposes SYSTEM-level local privileges, which is probably what they mean by super-user (SYSTEM = S-1-5-18, analogous to 'root'). The SecurityWeek story quotes two of the ingredients: 1) service running as SYSTEM (kind of a default) and 2) service has a pipe open with a NULL DACL. Variations on this theme are still out there; as the story notes, this is a bigger threat in enterprise environments, given that elsewhere there's predominantly no need to elevate privileges.

said by norwegian:

Maybe someone can explain more:
Edit:
On second thoughts, it is a device driver after all. Permissions on the SOHO computer is already there, I've mis-understood the part of the super-user reference; that is relative to a hack over a network and an admin's computer controlling the network.

It's actually a service (user-mode) that communicates with the driver infrastructure, but that's neither here nor there.


norwegian
Premium
join:2005-02-15
Outback

said by psloss:

The proof of concept creates a new local account and adds it to the local Admins group (RID = 544); however, that's only one thing an attacker could do. The exploit exposes SYSTEM-level local privileges, which is probably what they mean by super-user (SYSTEM = S-1-5-18, analogous to 'root'). The SecurityWeek story quotes two of the ingredients: 1) service running as SYSTEM (kind of a default) and 2) service has a pipe open with a NULL DACL. Variations on this theme are still out there; as the story notes, this is a bigger threat in enterprise environments, given that elsewhere there's predominantly no need to elevate privileges.

This is quite interesting - what does Microsoft and it's 3rd party vendors do in regards to driver security?

Null DACL:
»msdn.microsoft.com/en-us/library···85).aspx

The presence of a null discretionary access-control list (DACL) in the nTSecurityDescriptor attribute of any object can create a serious security risk. A null DACL grants full access to any user that requests it; normal security checking is not performed with respect to the object. A null DACL should not be confused with an empty DACL. An empty DACL is a properly allocated and initialized DACL containing no access-control entries (ACEs). An empty DACL grants no access to the object it is assigned to.
For more information, see Null DACLs and Empty DACLs.

How was that one missed?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback

1 edit
reply to psloss

I found this link quite interesting too in regards to security group policy and Null DACL's.

»blogs.technet.com/b/askds/archiv···acl.aspx

The problem with security processing occurs when the file or folder residing in the targeted folder contains a null DACL. Explicitly, this file or folder does not have any permissions. So Windows cannot determine how to propagate inherited permissions to the object because the object itself does not actually have permissions.

Also this seems a good article: (English)
»edc.tversu.ru/elib/inf/0088/0596···t-2.html

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke


psloss
Premium
join:2002-02-24
Lebanon, KS
reply to norwegian

said by norwegian:

This is quite interesting - what does Microsoft and it's 3rd party vendors do in regards to driver security?

It's not a driver security issue; this exploit can be accomplished from user mode without involving the drivers. (There's a slight disconnect with whoever wrote the SecurityWeek headline.)


kickass69

join:2002-06-03
Lake Hopatcong, NJ

Regardless, Nvidia should release an update for all it's graphics cards...not just ones it currently supports for security issues. People who have 7000 series graphics cards and older will continue to be vulnerable otherwise.



La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3
reply to PrntRhd

How do I know if I need this? I don't see my GPU in the list, but I ran the tool anyway. It doesn't tell me if I need this update.

About Your GPU

GeForce GTX260m

Your device supports
PhysX more > CUDA more >

Your device does not support
DirectX 11 more > 3D Vision more > SLI more >
Clock 500MHzMemory 1024MB
--
The Alien in the White House

20,196 DEADLY TERROR ATTACKS SINCE 9/11


phxuser

join:2010-03-16
Scottsdale, AZ

1 edit

The security issue is with the Nvidia update service.

Correction: Vulnerability is Display Driver Service NVSvc

From the Nvidia website:
What is NVIDIA Update?
NVIDIA Update keeps your PC up-to-date with the latest NVIDIA drivers by notifying you when a new driver is available and directing you to the driver on www.nvidia.com. Starting with R275 drivers, NVIDIA Update also provides automatic updates for game and program profiles, including SLI profiles.

Which products are supported by NVIDIA Update?
NVIDIA Update provides notifications for GeForce and ION GPUs for both desktop and notebook PCs. Other NVIDIA GPUs are not supported at this time.

How do I get NVIDIA Update?
When you install a Release 270 or later GeForce/ION driver from www.nvidia.com, you will be presented with the option to install NVIDIA Update.


psloss
Premium
join:2002-02-24
Lebanon, KS

said by phxuser:

The security issue is with the Nvidia update service.

That's a separate service (which also happens to NOT be running as SYSTEM). The display name of the service is "NVIDIA Driver Helper Service"; it's also referred to in the context of this story as "NVidia Display Driver Service". The service name itself is NVSvc.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to phxuser

nVidia Update Service doesn't work. It throws an error. Besides, why would anyone update nVidia driver when doing so trashes your color settings?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11

1 recommendation

said by Mele20:

nVidia Update Service doesn't work. It throws an error. Besides, why would anyone update nVidia driver when doing so trashes your color settings?

It trashes color settings?
Are you saying it does this for everyone who updates nVidia drivers, or just yourself?
--
Remember that cool hidden "Graffiti Wall" here on BBR? After the name change I became the "owner", so to speak as it became: Dustyn's Wall »[Serious] RIP


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to PrntRhd

In related news:
AMD warns of security hole in its Catalyst Control Center. I have an older ATI GPU that doesn't have the Control Center.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Dustyn

I don't know if it happens to others or just me. I have 660 GTX card on Win 8 computer. The last nVidia driver update trashed my color settings. I was really surprised it did that. I used system restore to get back to the earlier version. I didn't really need that driver update as it was to improve certain games that I don't have. It was not a security update.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


PrntRhd
Premium
join:2004-11-03
Fairfield, CA
Reviews:
·Comcast
reply to Mele20

said by Mele20:

nVidia Update Service doesn't work. It throws an error. Besides, why would anyone update nVidia driver when doing so trashes your color settings?

I updated my driver on this PC and it made the rendering improve. "Your mileage may vary".


norwegian
Premium
join:2005-02-15
Outback

1 edit
reply to psloss

said by psloss:

said by norwegian:

This is quite interesting - what does Microsoft and it's 3rd party vendors do in regards to driver security?

It's not a driver security issue; this exploit can be accomplished from user mode without involving the drivers. (There's a slight disconnect with whoever wrote the SecurityWeek headline.)

I should not have mentioned driver either, thank you for pointing that out and clarifying it for the discussion.

said by psloss:

That's a separate service (which also happens to NOT be running as SYSTEM). The display name of the service is "NVIDIA Driver Helper Service"; it's also referred to in the context of this story as "NVidia Display Driver Service". The service name itself is NVSvc.

I believe this service can be safety turned off without adverse affects. I've quite often set it to disabled in the past, however recently I've let it run. Windows 7 doesn't seem to gain as much as XP did with service disabling to help on resources, memory (cheaper) etc.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke


BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3
reply to Mele20

You need to learn to use the little buttons on your monitor to change the color, and brightness. You do that once, and then you never have to calibrate the monitor again anytime soon.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

No, that does not work. My monitor cannot be calibrated for digital vibrance nor for nVidia color settings except within nVidia. You don't seem to know much about nVidia cards. This is my third one on different computers on this monitor that has about 28,000 hours on it. lf nVidia cards they must have color settings done fom nVidia controls. IF I used on board graphics I could not get decent color because on board graphics does not have digital vibrance setting. NOTHING achieves that using the monitor controls. I didn't say the new nVidia driver screwed with brightness, contrast, etc. Those are the settings that I would use the monitor's buttons for. If you rely on the monitor settings you have garbage colors...no vibrancy. The reds are really off and most greens, but most men are color blind for green and red so they can't see the great differences and, thus, dismiss digital vibrance because of their genetic short coming.

Of course, without nVIEW nVidia card is not worth much anyway and there is no way to properly calibrate and have nVidia save all my Desktops without nView, I had no idea that now only professional nVidia card are worth a damn. There was zero point in my waiting fo six months for Dell to finally offer decent nVidia card for this computer. I could have simply gotten ATI 7870 and Windows 7.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3

All I hear is crying from you on this issue, and I knew you couldn't reply without mentioning nview again...



ashrc4
Premium
join:2009-02-06
australia

2 edits
reply to PrntRhd

FYI : Disable Built-in Administrator Account (super user)
»www.howtogeek.com/howto/windows-···s-vista/

First you need to enable the "One time" super user acc.
Set a password for it, then disable it.

Helps protect against some physical access issues.
--
Paradigm Shift beta test pilot. "Dying to defend one's small piece of suburb...Give me something global...STAT!


Tuulilapsi
Kenosis

join:2002-07-29
Finland
reply to PrntRhd

So basically this is yet another case of "we don't understand ACLs", this time from nVidia, eh? And here I was, hoping this kind of stuff was... well, stuff of the decade past.

Okay, so, what can all those folks with ancient nVidia cards, who are mortally afraid of updating their drivers lest the whole shebang crash and burn, do about this? I've got some people I know who are still using stuff like the geforce 7900 or what not. So the flaw is in the NVSvc service? Can that be just disabled to prevent exploiting the vulnerability? I don't even have an nVidia card on any of my rigs, so I can't well test if those cards can live without that service.
--
Limited User Accounts.
Software Restriction Policies.



norwegian
Premium
join:2005-02-15
Outback


Disabling the service is fine. As I've mentioned I used to do it as part of my cleanup of XP services.

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke