logo
Published on KernelTrap (http://kerneltrap.org)

Linux: NVIDIA Binary Graphics Driver Exploit

By Jeremy
Created Oct 16 2006 - 15:47

A recent security advisory [1] announced today by Rapid7 [2] explains, "the NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. This bug can be exploited both locally or remotely (via a remote X client or an X client which visits a malicious web page). A working proof-of-concept root exploit is attached to this advisory." The advisory goes on to note that the FreeBSD and Solaris binary drivers are also likely vulnerable to the same flaw and cautions, "it is our opinion that NVIDIA's binary driver remains an unacceptable security risk based on the large numbers of reproducible, unfixed crashes that have been reported in public forums and bug databases."

Chad Loder [bio [3]], Rapid7's Manager of Engineering, explained that NVIDIA has known about this bug in their binary driver for some time, "the link [4] in the advisory is the earliest thread in which we could find an NVIDIA employee publicly acknowledging the bug, although it was reported back in 2004 and has probably existed even longer." Regarding the decision to announce the exploit to the public Chad explained, "I expect (or hope) that NVIDIA will fix the defect in their binary drivers quickly. I don't know anything about their development process or where their Linux drivers fit into their priority list. It seems that the majority of Linux users are perfectly willing to accept bugs in binary blob drivers from hardware vendors, so there is little incentive for NVIDIA to change their process."

The OpenBSD project has frequently warned against the inclusion of binary-only blobs in otherwise open source operating systems, making this problem the theme [5] of their 3.9 release. In recent KernelTrap interviews with Theo de Raadt [interview [6]], Jonathan Gray [interview [7]] and Damien Bergamini [interview [8]], much discussion was made of the potential security problems inherent in using binary blobs. In regards to the current exploit, the security advisory suggests disabling NVIDIA's binary blob driver and using instead the open-source "nv [9]" driver that is included with X.


Related links:

Source URL:
http://kerneltrap.org/node/7228

Links:
[1] http://www.rapid7.com/advisories/R7-0025.jsp
[2] http://www.rapid7.com/
[3] http://kerneltrap.org/openbsd/c2k6/who1#cloder
[4] http://www.nvnews.net/vbulletin/showthread.php?p=931048
[5] http://www.openbsd.org/lyrics.html#39
[6] http://kerneltrap.org/node/6550
[7] http://kerneltrap.org/node/6497
[8] http://kerneltrap.org/node/6497
[9] http://wiki.x.org/wiki/nv
[10] http://www.rapid7.com/advisories/R7-0025.jsp
[11] http://www.rapid7.com/advisories/R7-0025.jsp
[12] http://digg.com/security/NVIDIA_Binary_Graphics_Driver_Exploit