NVIDIA GeForce Experience Local Privilege Escalation (CVE-2019-5701)

​GeForce Experience is the companion application to your GeForce GTX graphics card. It keeps your drivers up to date, automatically optimizes your game settings, and gives you the easiest way to share your greatest gaming moments with friends. It also regularly downloads new game profiles which are essentially collections of settings that control what your graphics driver does when it loads specific games. In this blog post, we will walkthrough identifying and exploiting a Local Privilege Escalation vulnerability we found in GeForce Experience version 3.20.0.118 (the latest as of this writing) and older.

While analyzing the GeForce Experience software we noticed the following activity in Process Monitor right after toggling the GAMESTREAM feature off and back on under the SHIELD tab.

​Due to the lack of secure loading of libraries, the NVIDIA Container process is trying to load igdgmm64.dll with “NT AUTHORITY\SYSTEM” privileges from set of directories defined by the system path including the “C:\Python27” directory which is writeable by the “Authenticated Users” group.

​Now looking at the call stack we can see that LoadLibraryExW function is called after OpenAdapter+0x3cf in igdumdim64.dll (Intel HD Graphics Driver for Windows).

​Let’s open igdumdim64.dll in Ghidra and examine OpenAdapter function to confirm our assumptions.

In summary, igdumdim64.dll loads igdgmm64.dll to resolve symbols for OpenGmm exported function (for more information about OpenGmm function please refer to the following link) via GetProcAddress function. At this point all we need is drop malicious DLL under “C:\Python27” folder, in this case we coded DLL that would spawn a command prompt as demonstrated below.

We did send the vulnerability details to NVIDIA PSIRT team and patch was released in version 3.20.1.57, for more information see NVIDIA security bulletin here. Although we haven’t tested the patch, this vulnerability can be remediated by specifying fully qualified path for DLLs and/or the enforcement of digital certificate validation. Feel free to reach out at labs@activecyber.us if you have any questions. Also, see the link here for complete list of ACTIVELabs advisories.
 
Affected Products

• GeForce Experience version 3.20.0.118 and older

 
Disclosure Timeline

• 09-03-19: ACTIVELabs sent vulnerability details to NVIDIA PSIRT
• 09-04-19: NVIDIA PSIRT acknowledge report and opened a case
• 09-11-19: ACTIVELabs requested status update
• 09-11-19: NVIDIA PSIRT responded that the product team is still working to reproduce the issue
• 09-13-19: NVIDIA PSIRT requested additional information
• 09-13-19: ACTIVELabs sent requested information
• 09-19-19: ACTIVELabs sent supplementary vulnerability details to NVIDIA PSIRT
• 09-23-19: ACTIVELabs requested status update
• 09-23-19: NVIDIA PSIRT was able to reproduce the issue and patch is scheduled for release by the end of October
• 10-28-19: ACTIVELabs requested an update and provided copy of draft blog post which will be published after patch release
• 10-28-19: NVIDIA PSIRT responded with details about release dates and requested blog post for review
• 10-28-19: ACTIVELabs sent blog post draft
• 11-04-19: Patch released
• 11-06-19: NVIDIA security bulletin published
• 11-06-19: CVE-2019-5701 assigned
• 11-07-19: ACTIVELabs publishes this advisory