Powered by ACTIVECYBER, LLC
Powered by ACTIVECYBER, LLC
GeForce Experience is the companion application to your GeForce GTX graphics card. It keeps your drivers up to date, automatically optimizes your game settings, and gives you the easiest way to share your greatest gaming moments with friends. It also regularly downloads new game profiles which are essentially collections of settings that control what your graphics driver does when it loads specific games. We have identified DLL Hijacking vulnerability in GeForce Experience software in late 2019 (see link for more details) and decided to revisit said software again this year. This led to the discovery of CVE-2020-5978 and CVE-2020-5990 within the same component, that is GAMESTREAM. However, in this blog post we will only go over CVE-2020-5990 because it’s more interesting from an exploitation standpoint.
The GAMESTREAM functionality is quite convenient, it grants users the ability to access games on SHIELD devices such as TVs and tablets from GeForce GTX-powered PC. Using dynamic analysis, we've noticed a rather interesting behavior in Process Monitor when toggling GAMESTREAM feature on. The nvcontainer.exe process will write to or create file named CaptureCore.log under C:\ProgramData\NVIDIA Corporation\ShadowPlay\ directory without user impersonation (i.e. in the context of NT AUTHORITY\SYSTEM).
Moreover, the Everyone group has full control over the problematic file and the housing directory due to inheritance from the parent folder. At this point we were excited because this makes CaptureCore.log a lucrative target for file redirection attacks.
However, deleting CaptureCore.log and turning GAMESTREAM off and back on we quickly realized there is check in place for soft and hard links.
Let’s confirm our assumptions by creating Symbolic Link to system file and turning GAMESTREAM off and back on to see how the nvcontainer.exe process reacts.
Just as we expected the process determines the file is Symbolic Link via GetFileAttributesA and bails out.
Following the stack trace, we identify the soft and hard links check in nvspapi64.dll (NVIDIA ShadowPlay API) using static analysis.
And ultimately the problematic caller function.
Both checks are sufficient, however, once the check is complete the handle to CaptureCore.log is closed and then a new handle is obtained to perform additional actions such as fetching the final path via GetFinalPathNameByHandleA and writing to the log file. This gap introduces race condition between the time the file was checked and the time the file was created or written to (TOCTOU), allowing standard non-privileged users to create arbitrary files under the system folder as NT AUTHORITY\SYSTEM and ultimately granting the Everyone group full control on said file leading to local escalation of privileges. Into the exploitation part!
First off, we open a handle to CaptureCore.log under C:\ProgramData\NVIDIA Corporation\ShadowPlay\ and then place an OpLock on it. Once OpLock is triggered, signaling the soft/hard links check has been performed by nvcontainer.exe we create Symbolic Link to non-existing DLL under C:\Windows\System32\ folder. Lastly, we load the DLL using UsoDllLoader method discovered by Clément Labro and achieve privilege escalation.
We did send the vulnerability details to NVIDIA PSIRT team and a patch was released in version 126.96.36.199, for more information see NVIDIA security bulletin here. Feel free to reach out at firstname.lastname@example.org if you have any questions. Also, see the link here for complete list of ACTIVELabs advisories.
ACTIVELabs was created in 2018 to hunt and research undiscovered vulnerabilities, report them to vendors via responsible disclosure programs, publish advisories, develop and validate new patches, and to share this information for the advancement of the cybersecurity community. ACTIVELabs was established with the mission of securing our ever-growing client base, partnerships, and the technology community as a whole.
We are actively providing the community with verified findings and research that leads to the creation of new Common Vulnerabilities and Exposures (CVEs) and updates to the National Vulnerability Database (NVD). For a full listing of all of our Advisories, visit our GitHub page here.