Sign in with
Sign up | Sign in

Critical Security Problem in Nvidia's Drivers, Exploit Code Circulated

By - Source: Pastebin | B 21 comments

A software developer has posted details about a vulnerability in Nvidia's graphics driver that could allow an attacker to gain control over a user's computer.

According to Peter Winter-Smith's post on Pastebin, the problem is anchored in nvvsvc.exe, a file that is used in the Nvidia display driver service. The file is reportedly is vulnerable to a buffer overflow and code injection attack. Since nvvsvc.exe runs with full system access rights, the developer claims that any program can be installed by an attacker.

While the information on how the issue can be exploited is currently freely available and the exploit code circulated by Winter-Smith, it is unclear how the exploit could target a client PC and how it could be triggered. In his test setup, he used a Dell XPS 15 system with a GT540M GPU running under Windows 7 (64-bit). He also noted that he ran the test with full administrator rights on the PC with unrestricted access to the computer.

Nvidia has not reacted to the report yet and the post on Pastebin was removed with the comment: "I'm sorry to say that I've had to remove this post - it has caused some trouble for a few friends of mine and I didn't intend for that to happen." However, the author announced his discovery on several forums and websites, including attachments with the exploit code.

 

Contact Us for News Tips, Corrections and Feedback

Display 21 Comments.
This thread is closed for comments
  • 9 Hide
    kellybean , December 28, 2012 12:19 PM
    You would think this guy would do the right thing and tell Nvidia first and hopefully Nvidia would do the right thing and compensate the guy for the knowledge but noooooo.
  • -4 Hide
    mikenygmail , December 28, 2012 12:21 PM
    lostmyclani know that a long time ago... in my country has some hijack tools with the exe =) thats why i use ati.


    Yes, AMD/ATI drivers are much better.
  • 5 Hide
    curnel_D , December 28, 2012 12:22 PM
    Lol, and Nvidia wonders why Linux won't open up the kernel for their drivers.
  • -2 Hide
    jn77 , December 28, 2012 12:32 PM
    It is amazing how people dog ATI's drivers, but when Nvidia has driver issues, all the Nvidia fan boys just disappear. Not to mention it took 3-4 years and a class action lawsuit for Nvidia to come clean about their GPU hardware issues that messed everyone up not that long ago (2002-2005).

    Unless ATI does something really stupid, I will never use Nvidia's half...... hardware.
  • 3 Hide
    jaquith , December 28, 2012 12:42 PM
    HINT: Any application that has SACL access (full system access rights) has the potential to be hacked (exploited) in much the same exact manner.

    Google or search: 'ATI driver exploits' or pretty much any primary program your PC uses and at one point or another chances are someone hacked into it...
  • 2 Hide
    ethanolson , December 28, 2012 12:49 PM
    AMD gives better performance per watt for the most part. The issue I have is the driver tuning is lacking from a processing standpoint. My conclusion is rooted in experience from GPU video encoding and how the AMD output looks noticeably worse than NVidia or Intel and you can't improve it easily at this point. When they get that part of their engine fixed and there's better software support, then I'm making the switch.
  • 6 Hide
    warezme , December 28, 2012 1:20 PM
    mikenygmailYes, AMD/ATI drivers are much better.

    I sense a deep and scathing sense of sarcasm in this comment.
  • 1 Hide
    tomfreak , December 28, 2012 1:30 PM
    I got no trouble of AMD driver, but their too early to drop driver support to legacy status really scares me. example .... ATI HD4000
  • 4 Hide
    mikenygmail , December 28, 2012 1:31 PM
    warezmeI sense a deep and scathing sense of sarcasm in this comment.


    While typing it, I was afraid of that...
  • 0 Hide
    Old_Fogie_Late_Bloomer , December 28, 2012 1:43 PM
    warezmeI sense a deep and scathing sense of sarcasm in this comment.

    Yeah, I was like...wait, he is being sarcastic, right? The "/sarcasm" tag is your friend... :) 
  • 1 Hide
    mikenygmail , December 28, 2012 2:05 PM
    Old_Fogie_Late_BloomerYeah, I was like...wait, he is being sarcastic, right? The "/sarcasm" tag is your friend...


    I'm not being sarcastic. This article is about Nvidia driver security vulnerabilities. I am supporting AMD. Without AMD, we'd all be paying Intel $1000+ for any powerful CPU, and we'll all be paying Nvidia almost as much for a powerful graphics card. Join me, plant a tree, support AMD. :) 
  • 3 Hide
    Anonymous , December 28, 2012 2:25 PM
    Real good reporting, Tom's. It would be nice to know what version of the drivers are affected so I can switch to a different one.
  • 3 Hide
    JamesSneed , December 28, 2012 2:31 PM
    Why this turned into ATI vs Nvidia I have no idea. They both have had drivers exploited in a similar manor. Any driver like this that has to interact with low level hardware has potential to be hacked.

    I would like to suggest a new years resolution that everyone support both camps because without both doing well we get high prices and stagnation.
  • 1 Hide
    prophetzarquon , December 28, 2012 2:49 PM
    mikenygmailI'm not being sarcastic. This article is about Nvidia driver security vulnerabilities. I am supporting AMD. Without AMD, we'd all be paying Intel $1000+ for any powerful CPU, and we'll all be paying Nvidia almost as much for a powerful graphics card. Join me, plant a tree, support AMD.


    By that reasoning, you should buy Texas Instruments ARM processors!

    Which I do recommend, actually.

    Raspberry Pi, 700Mhz ARM CPU, Samsung GPU, 1080p HDMI output,
    $35 for a complete board turned out to be a very good price for me!
  • -5 Hide
    prophetzarquon , December 28, 2012 2:54 PM
    I prefer NVidia for the bang-for-the-buck performance, usually same with Intel on high end boards.

    All I can say about ATI is... "I had a bad experience."

    Several actually. Always, actually.

    Great hardware, terrible software: ATI, HP (commercial), Samsung (stock Galaxy S3 anyone?), the list goes on.
  • -2 Hide
    mt2e , December 28, 2012 3:23 PM
    Here the facts: AMD drivers have been terribad till this fall when they started pushing more driver updates for bugs and performance, if you disagree with this you straight up do NOT know what your talking about, its a fact. Nvidia has more money, has a bigger driver team and has done a better job for years. AMD wins in the price/performance and a 7970 is what i'd recommend BUT I will tell u Nvidia didnt try this round they pretty much released their products and was like thats that, nothing special. Their 690 was botched, a technical win but they priced it way too high and the price never came down. AMDs cards were priced way too high .....7970 started at like 600 and now what under 400 and they had that driver performance increase, I think they at least had a strat of a midstream bump via GHZ edition even tho it was kinda wack, everything counts.......blah blah blah I could go on but Im just gonna end this wall of txt.
  • -5 Hide
    hytecgowthaman , December 28, 2012 3:27 PM
    I am buy a laptop 6years ago (2007)Compaq c772tu at that time win xp is famous.so Iam decided to install xp 32bit sp2 (vista arrived).after install os ,download drivers from manufacturer website but sound driver not worked.other website give driver after 30days worked but update windows automatically sound driver not worked due to unknown signature and expired certificate.
    so use vista for hearing sound but sound driver is very old ,and xp for using programs in 160gb hdd 5400rpm.two os and softwares takes 50gb.
    after win7 comes my problem solved (after two years I am get good sound in my laptop 2009drivers by updating windows(before iam use 2002 driver files in xp given by hp ,2004 driver files for vista)(hp not give drivers for win7)"so how much time taken for good driver files" .then now iam use win7 ultimate 32bit in it all softwares work fine only one os so save hdd space.hdd driver Intel rapid storage work fine in only win7. IT'S THE REAL WORLD.
    So don't tease others.
  • -3 Hide
    prophetzarquon , December 28, 2012 3:57 PM
    mt2eHere the facts: AMD drivers have been terribad till this fall when they started pushing more driver updates for bugs and performance, if you disagree with this you straight up do NOT know what your talking about, its a fact. Nvidia has more money, has a bigger driver team and has done a better job for years. AMD wins in the price/performance and a 7970 is what i'd recommend BUT I will tell u Nvidia didnt try this round they pretty much released their products and was like thats that, nothing special. Their 690 was botched, a technical win but they priced it way too high and the price never came down. AMDs cards were priced way too high .....7970 started at like 600 and now what under 400 and they had that driver performance increase, I think they at least had a strat of a midstream bump via GHZ edition even tho it was kinda wack, everything counts.......blah blah blah I could go on but Im just gonna end this wall of txt.


    As I read this, I'm assuming that by saying AMD over & over, you mean ATI.

    I wouldn't be able to speak firsthand about GPU *or* CPU updates from ATI or AMD since this fall because I bought an NVidia and Intel layout in spring.

    For high end boards, a complete Intel system is often cheaper per operation/per-second than AMD.

    ATI vs NVidia... Hardware top-performance honors vary year by year but traditionally I have found NVidia software to be much more robust, functional & reliable while I otherwise would prefer the ATI hardware.
  • 1 Hide
    jonjonjon , December 28, 2012 7:35 PM
    kellybeanYou would think this guy would do the right thing and tell Nvidia first and hopefully Nvidia would do the right thing and compensate the guy for the knowledge but noooooo.


    agreed what a db. you want the publicity just say you found a vulnerability and tell nvidia. no need to publish code and all the info to put millions of pc's at risk.
  • 2 Hide
    jonjonjon , December 28, 2012 7:38 PM
    curnel_DLol, and Nvidia wonders why Linux won't open up the kernel for their drivers.

    yea cause if you google "Linux kernel vulnerability" the kernel is rock solid. if anyone cared enough to actually look for linux vulnerabilities like the do on windows it would be torn to shreds.
Display more comments