nvidia linux binary driver priv escalation exploit

[leigh123linux]

Please fix this security issue!!


http://permalink.gmane.org/gmane.com...sclosure/86747

Quote:

First up I didn't write this but I have executed it and it did work here,

I was given this anonymously, it has been sent to nvidia over a month
ago with no reply or advisory and the original author wishes to remain
anonymous but would like to have the exploit published at this time,
so I said I'd post it for them.

It basically abuses the fact that the /dev/nvidia0 device accept
changes to the VGA window and moves the window around until it can
read/write to somewhere useful in physical RAM, then it just does an
priv escalation by writing directly to kernel memory.

Dave.

http://permalink.gmane.org/gmane.com...sclosure/86747


http://pastebin.com/Gg0LBBUA

Code:

    [leigh@main-pc Desktop]$ ./nvidia[*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...[*] CVE-2012-YYYY[*] 64-bits Kernel found at ofs 0[*] Using IDT entry: 220 (0xffffffff81deadc0)[*] Enhancing gate entry...[*] Triggering payload...[*] Hiding evidence...[*] Have root, will travel..
    sh-4.2# whoami
    root
    sh-4.2#

[sjlopezb]

NO recommend user root.

Recommended user normal.

[leigh123linux]

Quote:

Originally Posted by sjlopezb

NO recommend user root.

Recommended user normal.

Your reply is senseless.

[towo|]

Does not work for me

Code:

~/scripts
towo:Defiant> uname -a
Linux Defiant 3.5-0.towo-siduction-amd64 #1 SMP PREEMPT Mon Jul 30 16:30:29 UTC 2012 x86_64 GNU/Linux

~/scripts
towo:Defiant> whoami 
towo

~/scripts
towo:Defiant> ./nvidia [*] IDT offset at 0xffffffff8172a000[*] Abusing nVidia...[*] CVE-2012-YYYY[*] 64-bits Kernel found at ofs 0[*] Using IDT entry: 220 (0xffffffff8172adc0)[*] Enhancing gate entry...[*] Triggering payload...
Getötet

~/scripts
towo:Defiant>

driver is 304.30

[artem]

304.32 drivers fix this security issue.

[leigh123linux]

Confirmed

Code:

[leigh@main-pc Desktop]$ ./nvidia [*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...
[leigh@main-pc Desktop]$ ./nvidia [*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...
[leigh@main-pc Desktop]$ ./nvidia [*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...
[leigh@main-pc Desktop]$

[eskuai]

Linux darkstar 3.4.6-2.fc17.i686.PAE #1 SMP Thu Jul 19 21:49:03 UTC 2012 i686 i686 i386 GNU/Linux
[*] IDT offset at 0xc0b70000[*] Abusing nVidia...[*] CVE-2012-YYYY[*] 32-bits Kernel found at ofs 0[*] Using IDT entry: 220 (0xc0b706e0)[*] Enhancing gate entry...[*] Triggering payload...[*] Hiding evidence...
callsetroot returned 1 (1)[*] Failed to get root.

nvidia 302.17

[kokoko3k]

Fails here too with nvidia 302.17, pae system

[phil@elrepo]

I've been unable to exploit RHEL5 or RHEL6 64-bit systems running 256.53, 295.59 or 302.17. Some users report hard lockups (crashes) whereas I see nothing.

Code:

[phil@Quad nvidia]$ ./nvidia-exploit
[*] IDT offset at 0xffffffff804b8000
[*] Abusing nVidia...
[phil@Quad nvidia]$ whoami
phil

[kokoko3k]

Well, I've had an instant reboot after i tried to change tty