Go Back   nV News Forums > Linux Support Forums > NVIDIA Linux

Newegg Daily Deals

Reply
 
Thread Tools
Old 08-02-12, 02:29 AM   #1
leigh123linux
Registered User
 
leigh123linux's Avatar
 
Join Date: Feb 2008
Posts: 163
Exclamation nvidia linux binary driver priv escalation exploit

Please fix this security issue!!


http://permalink.gmane.org/gmane.com...sclosure/86747


Quote:
First up I didn't write this but I have executed it and it did work here,

I was given this anonymously, it has been sent to nvidia over a month
ago with no reply or advisory and the original author wishes to remain
anonymous but would like to have the exploit published at this time,
so I said I'd post it for them.

It basically abuses the fact that the /dev/nvidia0 device accept
changes to the VGA window and moves the window around until it can
read/write to somewhere useful in physical RAM, then it just does an
priv escalation by writing directly to kernel memory.

Dave.
http://permalink.gmane.org/gmane.com...sclosure/86747


http://pastebin.com/Gg0LBBUA

Code:
    [leigh@main-pc Desktop]$ ./nvidia[*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...[*] CVE-2012-YYYY[*] 64-bits Kernel found at ofs 0[*] Using IDT entry: 220 (0xffffffff81deadc0)[*] Enhancing gate entry...[*] Triggering payload...[*] Hiding evidence...[*] Have root, will travel..
    sh-4.2# whoami
    root
    sh-4.2#
__________________
leigh123linux
leigh123linux is offline   Reply With Quote
Old 08-03-12, 05:16 PM   #2
sjlopezb
Registered User
 
Join Date: Mar 2012
Posts: 34
Default Re: nvidia linux binary driver priv escalation exploit

NO recommend user root.

Recommended user normal.
sjlopezb is offline   Reply With Quote
Old 08-03-12, 08:41 PM   #3
leigh123linux
Registered User
 
leigh123linux's Avatar
 
Join Date: Feb 2008
Posts: 163
Default Re: nvidia linux binary driver priv escalation exploit

Quote:
Originally Posted by sjlopezb View Post
NO recommend user root.

Recommended user normal.
Your reply is senseless.
__________________
leigh123linux
leigh123linux is offline   Reply With Quote
Old 08-04-12, 11:36 AM   #4
towo|
Registered User
 
Join Date: Feb 2007
Posts: 113
Default Re: nvidia linux binary driver priv escalation exploit

Does not work for me
Code:
~/scripts
towo:Defiant> uname -a
Linux Defiant 3.5-0.towo-siduction-amd64 #1 SMP PREEMPT Mon Jul 30 16:30:29 UTC 2012 x86_64 GNU/Linux

~/scripts
towo:Defiant> whoami 
towo

~/scripts
towo:Defiant> ./nvidia [*] IDT offset at 0xffffffff8172a000[*] Abusing nVidia...[*] CVE-2012-YYYY[*] 64-bits Kernel found at ofs 0[*] Using IDT entry: 220 (0xffffffff8172adc0)[*] Enhancing gate entry...[*] Triggering payload...
Getötet

~/scripts
towo:Defiant>
driver is 304.30
towo| is offline   Reply With Quote
Old 08-04-12, 03:49 PM   #5
artem
Registered User
 
Join Date: Jun 2006
Posts: 710
Default Re: nvidia linux binary driver priv escalation exploit

304.32 drivers fix this security issue.
artem is offline   Reply With Quote
Old 08-04-12, 05:00 PM   #6
leigh123linux
Registered User
 
leigh123linux's Avatar
 
Join Date: Feb 2008
Posts: 163
Default Re: nvidia linux binary driver priv escalation exploit

Confirmed


Code:
[leigh@main-pc Desktop]$ ./nvidia [*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...
[leigh@main-pc Desktop]$ ./nvidia [*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...
[leigh@main-pc Desktop]$ ./nvidia [*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...
[leigh@main-pc Desktop]$
__________________
leigh123linux
leigh123linux is offline   Reply With Quote
Old 08-05-12, 03:52 PM   #7
eskuai
Registered User
 
Join Date: Aug 2007
Posts: 35
Default failed ? nvidia linux binary driver priv escalation exploit

Linux darkstar 3.4.6-2.fc17.i686.PAE #1 SMP Thu Jul 19 21:49:03 UTC 2012 i686 i686 i386 GNU/Linux
[*] IDT offset at 0xc0b70000[*] Abusing nVidia...[*] CVE-2012-YYYY[*] 32-bits Kernel found at ofs 0[*] Using IDT entry: 220 (0xc0b706e0)[*] Enhancing gate entry...[*] Triggering payload...[*] Hiding evidence...
callsetroot returned 1 (1)[*] Failed to get root.

nvidia 302.17
eskuai is offline   Reply With Quote
Old 08-06-12, 05:35 AM   #8
kokoko3k
Registered User
 
Join Date: Jan 2007
Posts: 120
Default Re: nvidia linux binary driver priv escalation exploit

Fails here too with nvidia 302.17, pae system
kokoko3k is offline   Reply With Quote

Old 08-06-12, 05:59 AM   #9
phil@elrepo
Registered User
 
Join Date: Mar 2010
Location: UK
Posts: 16
Default Re: nvidia linux binary driver priv escalation exploit

I've been unable to exploit RHEL5 or RHEL6 64-bit systems running 256.53, 295.59 or 302.17. Some users report hard lockups (crashes) whereas I see nothing.

Code:
[phil@Quad nvidia]$ ./nvidia-exploit
[*] IDT offset at 0xffffffff804b8000
[*] Abusing nVidia...
[phil@Quad nvidia]$ whoami
phil
__________________
http://elrepo.org The Community Enterprise Linux Repository
phil@elrepo is offline   Reply With Quote
Old 08-08-12, 10:49 AM   #10
kokoko3k
Registered User
 
Join Date: Jan 2007
Posts: 120
Default Re: nvidia linux binary driver priv escalation exploit

Well, I've had an instant reboot after i tried to change tty
kokoko3k is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 11:38 PM.


Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright ©1998 - 2014, nV News.