Powered by ACTIVECYBER, LLC
Powered by ACTIVECYBER, LLC
GeForce Experience is the companion application to your GeForce GTX graphics card. It keeps your drivers up to date, automatically optimizes your game settings, and gives you the easiest way to share your greatest gaming moments with friends. It also regularly downloads new game profiles which are essentially collections of settings that control what your graphics driver does when it loads specific games. In this blog post, we will walkthrough identifying and exploiting a Local Privilege Escalation vulnerability we found in GeForce Experience version 220.127.116.11 (the latest as of this writing) and older.
While analyzing the GeForce Experience software we noticed the following activity in Process Monitor right after toggling the GAMESTREAM feature off and back on under the SHIELD tab.
Due to the lack of secure loading of libraries, the NVIDIA Container process is trying to load igdgmm64.dll with “NT AUTHORITY\SYSTEM” privileges from set of directories defined by the system path including the “C:\Python27” directory which is writeable by the “Authenticated Users” group.
Now looking at the call stack we can see that LoadLibraryExW function is called after OpenAdapter+0x3cf in igdumdim64.dll (Intel HD Graphics Driver for Windows).
Let’s open igdumdim64.dll in Ghidra and examine OpenAdapter function to confirm our assumptions.
In summary, igdumdim64.dll loads igdgmm64.dll to resolve symbols for OpenGmm exported function (for more information about OpenGmm function please refer to the following link) via GetProcAddress function. At this point all we need is drop malicious DLL under “C:\Python27” folder, in this case we coded DLL that would spawn a command prompt as demonstrated below.
We did send the vulnerability details to NVIDIA PSIRT team and patch was released in version 18.104.22.168, for more information see NVIDIA security bulletin here. Although we haven’t tested the patch, this vulnerability can be remediated by specifying fully qualified path for DLLs and/or the enforcement of digital certificate validation. Feel free to reach out at firstname.lastname@example.org if you have any questions. Also, see the link here for complete list of ACTIVELabs advisories.
ACTIVELabs was created in 2018 to hunt and research undiscovered vulnerabilities, report them to vendors via responsible disclosure programs, publish advisories, develop and validate new patches, and to share this information for the advancement of the cybersecurity community. ACTIVELabs was established with the mission of securing our ever-growing client base, partnerships, and the technology community as a whole.
We are actively providing the community with verified findings and research that leads to the creation of new Common Vulnerabilities and Exposures (CVEs) and updates to the National Vulnerability Database (NVD). For a full listing of all of our Advisories, visit our GitHub page here.