Vulnerabilities > CVE-2013-0109 - Buffer Errors vulnerability in Nvidia Display Driver 307.00/310.00

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
nvidia
CWE-119
nessus
exploit available
metasploit
NVD
Published: 2013-04-08
Updated: 2013-04-09

Summary

The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not properly handle exceptions, which allows local users to gain privileges or cause a denial of service (memory overwrite) via a crafted application.

Vulnerable Configurations

Part Description Count
Application
Nvidia
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

descriptionNvidia (nvsvc) Display Driver Service - Local Privilege Escalation. CVE-2013-0109. Local exploit for win64 platform
idEDB-ID:30393
last seen2016-02-03
modified2013-12-17
published2013-12-17
reportermetasploit
sourcehttps://www.exploit-db.com/download/30393/
titleNvidia nvsvc Display Driver Service - Local Privilege Escalation

Metasploit

descriptionThe named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user to interact with the service. It contains a stacked based buffer overflow as a result of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe', the service name is 'nvsvc', and the named pipe is 'nsvr'. This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012. It has been tested on Windows 7 64-bit against nvvsvc.exe dated Dec 1 2012.
idMSF:EXPLOIT/WINDOWS/LOCAL/NVIDIA_NVSVC
last seen2020-06-13
modified2017-07-24
published2013-07-17
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/nvidia_nvsvc.rb
titleNvidia (nvsvc) Display Driver Service Local Privilege Escalation

Nessus

NASL familyWindows
NASL idNVIDIA_CVE_2013_0109.NASL
descriptionThe version of the NVIDIA Display Driver service on the remote Windows host is later than 174.00 but prior to 307.78, or later than 310.00 but prior to 311.00. It is therefore affected by the following vulnerabilities : - An privilege escalation vulnerability exists due to not properly handling exceptions. A local attacker, using a crafted application, could exploit this to overwrite memory, allowing the execution of arbitrary code or causing a denial of service. (CVE-2013-0109) - A privilege escalation vulnerability exists in the Stereoscopic 3D Driver service due to an unquoted service search path. A local attacker, using a trojan horse program, could exploit this to execute arbitrary code in the root path. (CVE-2013-0110) - A privilege escalation vulnerability exists in the Update Service Daemon due to an unquoted service search path. A local attacker, using a trojan horse program, could exploit this to execute arbitrary code in the root path. (CVE-2013-0111)
last seen2020-06-01
modified2020-06-02
plugin id83521
published2015-05-18
reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/83521
titleNVIDIA Display Driver 174.x < 307.78 / 310.x < 311.00 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(83521);
  script_version("1.5");
  script_cvs_date("Date: 2018/11/15 20:50:27");

  script_cve_id("CVE-2013-0109", "CVE-2013-0110", "CVE-2013-0111");
  script_bugtraq_id(58459, 58460, 58461);
  script_xref(name:"CERT", value:"957036");
  script_xref(name:"EDB-ID", value:"30393");

  script_name(english:"NVIDIA Display Driver 174.x < 307.78 / 310.x < 311.00 Multiple Vulnerabilities");
  script_summary(english:"Checks Driver Version");

  script_set_attribute(attribute:"synopsis", value:
"A video display service on the remote Windows host is affected by
multiple privilege escalation vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of the NVIDIA Display Driver service on the remote Windows
host is later than 174.00 but prior to 307.78, or later than 310.00
but prior to 311.00. It is therefore affected by the following
vulnerabilities :

  - An privilege escalation vulnerability exists due to not
    properly handling exceptions. A local attacker, using a
    crafted application, could exploit this to overwrite
    memory, allowing the execution of arbitrary code or
    causing a denial of service. (CVE-2013-0109)

  - A privilege escalation vulnerability exists in the
    Stereoscopic 3D Driver service due to an unquoted
    service search path. A local attacker, using a trojan
    horse program, could exploit this to execute arbitrary
    code in the root path. (CVE-2013-0110)

  - A privilege escalation vulnerability exists in the
    Update Service Daemon due to an unquoted service search
    path. A local attacker, using a trojan horse program,
    could exploit this to execute arbitrary code in the root
    path. (CVE-2013-0111)");
  script_set_attribute(attribute:"see_also", value:"https://nvidia.custhelp.com/app/answers/detail/a_id/3288");
  script_set_attribute(attribute:"solution", value:
"Upgrade to NVIDIA graphics drivers version 307.78 / 311.00 or later.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/02/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/02/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/18");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:nvidia:display_driver");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");

  script_dependencies("wmi_enum_display_drivers.nbin");
  script_require_keys("WMI/DisplayDrivers/NVIDIA", "Settings/ParanoidReport");
  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

kb_base = 'WMI/DisplayDrivers/';

# double check in case optimization is disabled
kbs = get_kb_list(kb_base + '*/Name');
if (isnull(kbs)) exit(0, 'No display drivers were found.');

nvidia_found = FALSE;
foreach name (kbs)
  if ("NVIDIA" >< name) nvidia_found = TRUE;

if (!nvidia_found) exit(0, 'No NVIDIA display drivers were found.');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

report = '';

foreach kb (keys(kbs))
{
  name = kbs[kb];
  # only check NVIDIA drivers
  if ("NVIDIA" >!< name) continue;

  id = kb - '/Name';

  version = get_kb_item_or_exit(id + '/Version');
  driver_date = get_kb_item_or_exit(id + '/DriverDate');

  disp_driver_date = driver_date;

  fix = '';

  # 174 - 304 Branch (304.xx - 309.xx)
  if ( version =~ "^17[4-9]\." ||
       version =~ "^1[89][0-9]\." ||
       version =~ "^2[0-9][0-9]\." ||
       version =~ "^30[0-9]\."
     )
  {
    if (ver_compare(ver:version, fix:"307.78", strict:FALSE) == -1)
      fix = '307.78';
  }

  # 310 Branch (310.xx - 318.xx)
  if (version =~ "^31[0-8]\." && ver_compare(ver:version, fix:"311.00", strict:FALSE) == -1)
    fix = '311.00';

  if (fix != '')
  {
    report += '\n  Device name    : ' + name +
              '\n  Driver version : ' + version +
              '\n  Driver date    : ' + disp_driver_date +
              '\n  Fixed version  : ' + fix + '\n';
  }
}

if (report != '')
{
  if (report_verbosity > 0) security_hole(port:0, extra: report);
  else security_hole(0);
}
else exit(0, "No vulnerable NVIDIA display adapters were found.");

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/124465/nvidia_nvsvc.rb.txt
idPACKETSTORM:124465
last seen2016-12-05
published2013-12-17
reporterPeter Wintersmith
sourcehttps://packetstormsecurity.com/files/124465/Nvidia-nvsvc-Display-Driver-Service-Local-Privilege-Escalation.html
titleNvidia (nvsvc) Display Driver Service Local Privilege Escalation

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:83790
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-83790
    titleNvidia (nvsvc) Display Driver Service - Local Privilege Escalation
  • bulletinFamilyexploit
    descriptionCVE-2013-0109 NVIDIA Graphics Driver是一款流行的图形驱动程序 Windows下的NVIDIA显示驱动服务存在一个未明错误,允许本地攻击者利用漏洞提升权限 0 NVIDIA Graphics Drivers for Windows 300.x NVIDIA Graphics Drivers for Windows 310.x 厂商解决方案 NVIDIA Graphics Drivers for Windows 307.83或311.00已经修复此漏洞,建议用户下载更新: http://www.nvidia.com
    idSSV:60692
    last seen2017-11-19
    modified2013-03-19
    published2013-03-19
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-60692
    titleWindows平台下的NVIDIA图形驱动程序权限提升漏洞(CVE-2013-0109)

References