Exploit for NVIDIA binary graphics driver for Linux
An exploit has been published for the closed source graphics driver from NVIDIA. The buffer overflow bug can result in locally and probably remotely executed arbitrary code as root. FreeBSD and Solaris drivers could be affected too.
Having closed source drivers leaves the users at the mercy of the vendor. In this case, this very bug was reported back to NVIDIA 2 years ago. NVIDIA didn't want to fix that bug, and no one else had a chance to. And if you happen to have a pre-Geforce3 video card, tough luck. NVIDIA dropped support for those drivers, so no fixes for you. If the drivers were open source, this would be no problem. Only a single line of code is required, checking that the allocated buffer is big enough for the glyph data it supposed to contain. Nothing a friendly hacker next door couldn't do.
Closed source kernel modules not only break Linux's GPL license, but also impose a great security risk. Being closed source, the code cannot be audited and/or fixed in case a bug was found. Putting such insecure code into kernel space is a real threat. In case of a bug allowing arbitrary code execution, an exploit may gain privileges not available for user space code running as root.
The bug was fixed in the recently >=1.0-9625 drivers. For video cards <Geforce3 (and Geforce 4mx, of course), the only solution is to use the nv driver shipped with Xorg. Without 3D acceleration support, of course.
At Kerneltrap, there is a comment with a proof-of-concept url http://nvidia.com/content/license/location_0605.asp?url=';a='a';i=18;while(i--)a%2b=a;location=a;//
Opening this url makes the browser (does not work on Konqueror) fill the URL line with the letter 'a', which is enough to exploit the bug and cause DoS. Having arbitrary code executed this way is of course harder, but this is bad enough already.
Closed source drivers
Having closed source drivers leaves the users at the mercy of the vendor. In this case, this very bug was reported back to NVIDIA 2 years ago. NVIDIA didn't want to fix that bug, and no one else had a chance to. And if you happen to have a pre-Geforce3 video card, tough luck. NVIDIA dropped support for those drivers, so no fixes for you. If the drivers were open source, this would be no problem. Only a single line of code is required, checking that the allocated buffer is big enough for the glyph data it supposed to contain. Nothing a friendly hacker next door couldn't do.
Closed source drivers as kernel modules
Closed source kernel modules not only break Linux's GPL license, but also impose a great security risk. Being closed source, the code cannot be audited and/or fixed in case a bug was found. Putting such insecure code into kernel space is a real threat. In case of a bug allowing arbitrary code execution, an exploit may gain privileges not available for user space code running as root.
Solution
The bug was fixed in the recently >=1.0-9625 drivers. For video cards <Geforce3 (and Geforce 4mx, of course), the only solution is to use the nv driver shipped with Xorg. Without 3D acceleration support, of course.
Bonus
At Kerneltrap, there is a comment with a proof-of-concept url http://nvidia.com/content/license/location_0605.asp?url=';a='a';i=18;while(i--)a%2b=a;location=a;//
Opening this url makes the browser (does not work on Konqueror) fill the URL line with the letter 'a', which is enough to exploit the bug and cause DoS. Having arbitrary code executed this way is of course harder, but this is bad enough already.
posted by Z @ 12:05 |
permalink |
some rights reserved
