View Single Post
Old 08-02-12, 03:29 AM   #1
leigh123linux
Registered User
 
leigh123linux's Avatar
 
Join Date: Feb 2008
Posts: 163
Exclamation nvidia linux binary driver priv escalation exploit

Please fix this security issue!!


http://permalink.gmane.org/gmane.com...sclosure/86747


Quote:
First up I didn't write this but I have executed it and it did work here,

I was given this anonymously, it has been sent to nvidia over a month
ago with no reply or advisory and the original author wishes to remain
anonymous but would like to have the exploit published at this time,
so I said I'd post it for them.

It basically abuses the fact that the /dev/nvidia0 device accept
changes to the VGA window and moves the window around until it can
read/write to somewhere useful in physical RAM, then it just does an
priv escalation by writing directly to kernel memory.

Dave.
http://permalink.gmane.org/gmane.com...sclosure/86747


http://pastebin.com/Gg0LBBUA

Code:
    [leigh@main-pc Desktop]$ ./nvidia[*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...[*] CVE-2012-YYYY[*] 64-bits Kernel found at ofs 0[*] Using IDT entry: 220 (0xffffffff81deadc0)[*] Enhancing gate entry...[*] Triggering payload...[*] Hiding evidence...[*] Have root, will travel..
    sh-4.2# whoami
    root
    sh-4.2#
__________________
leigh123linux
leigh123linux is offline   Reply With Quote