NVIDIA Driver Bug Grants Arbitrary Root Access to Local Users
A flaw in NVIDIA’s closed-source video driver for Linux can be exploited to gain root privileges, according to a notification published by Dave Airlie, veteran Linux kernel and X.org developer. The bug, discovered and documented by an anonymous researcher, had also been submitted to NVIDIA in late June, but the company failed to respond.
Image credit: NVIDIA
The message is accompanied by a proof-of-concept script that reveals the exploitation mechanism. The /dev/nvidia0 device accepts changes to the VGA window and can move this window until it reaches a location in the physical memory where it can read and write. When the exploit code is loaded into the memory, it simply performs a privilege escalation attack by manipulating the kernel memory.
Successful exploitation leads to regular, limited local users being granted root access (the Windows equivalent of Administrator). Root users can perform system-wide changes to the computer, as well as control accounts, among others.
Open-Source Linux and proprietary NVIDIA drivers have a long history of not playing together too well, given the closed nature of the code, which prevents hacking and modification – and, implicitly, community-supported patching. This made not only users complain, but also forced Linux maker Linus Torvalds to publicly refer to NVIDIA as “the single worst company he ever dealt with” in terms of driver development and support during the Aalto Talk in Otaniemi on June 14.