Nvidia Display Driver Service is insecure

An insecurity expert has found a vulnerability in the Nvidia Display Driver Service that could give administrator privileges on Windows machines to hacker .

Peter Winter-Smith, formerly with NGS Software of the UK, posted details of the vulnerability to Pastebin.

He claimed that the service is vulnerable to a stack buffer overflow that bypasses data execution prevention (DEP) and address space layout randomisation (ASLR).

The hole applies to every Windows operating system since Windows Vista.

He said that the service listens on a named pipe (pipensvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context should be able to exploit this vulnerability.

Winter-Smith wrote that the buffer overflow occurs as a result of a bad memmove operation.

Fortunately for Nvidia the vulnerability is difficult to exploit because it mostly affects a domain-based machine, where there are relaxed firewall rules and filesharing is switched on. This is like a network manager having their server set to “please hack my server, I have no interest in staying in the industry”.

But if they were daft enough, there are a few servers out there which have settings more liberal than Finland.

Winter-Smith said he wanted to share the exploit in a timely fashion, rather than report it, but said that the risk from this particular flaw being exploited was is sufficiently low that he didn’t think it would warrant the wait.

Curiously when we went and had a look at the Pastebin entry this morning,  Winter-Smith had pulled the post. He said that it had “caused a few of his friends a few problems”. It is not clear who the friends were, or if Nvidia had been having a quite word with him, his friends, or he had woken up with a decapitated press release in his bed.