[ILUG] NVIDIA Binary Graphics Driver Exploit
Justin Mason
jm at jmason.org
Tue Oct 17 14:41:58 IST 2006
Gavin McCullagh writes:
> On Tue, 17 Oct 2006, Ewan Oughton wrote:
> > Or just make sure your X server is listening on the lo interface only...
> > Default in most distros I have come accross
>
> I haven't tested it but:
>
> "This bug can be exploited both locally or remotely (via a remote X client
> or an X client which visits a malicious web page). "
>
> suggests that an attacker need not connect to the X server, they can
> apparently build a nasty webpage and convince the user to go to that.
That's pretty theoretical. http://download2.rapid7.com/r7-0025/ has more
details:
It is also trivial to exploit this vulnerability as a DoS by causing
an existing X client program (such as Firefox) to render a long text
string. It may be possible to use Flash movies, Java applets, or
embedded web fonts to supply the custom glyph data necessary for
reliable remote code execution.
A simple HTML page containing an INPUT field with a long value is
sufficient to demonstrate the DoS.
the PoC has a great comment btw:
/************************************************************************
* BEGIN FONT HEAP OVERFLOW SETUP CODE
*
* "It's so hard to write a graphics driver that open-sourcing it would
* not help."
* - Andrew Fear, Software Product Manager (NVIDIA Corporation).
**********************************************************************/
ROFL ;)
--j.
More information about the ILUG
mailing list