Hacker News new | past | comments | ask | show | jobs | submit login
Nvidia Display Driver Service Exploit (pastebin.com)
74 points by idiamin on Dec 25, 2012 | hide | past | web | favorite | 3 comments



So theres a somewhat sophisticated message protocol that allows for variable-length fields that they parse in-situ into a _fixed size_ buffer allocated on the _stack_?

Come on, its not the 90s anymore.

(Of course, its useful to note that the many mitigations have made this a difficult exploit for what is at its basis a very old mistake. And the somewhat unique situation that the code can leak information back, which here allowed for the bypass of stack cookies (and the virtual base, I guess?))


> And the somewhat unique situation that the code can leak information back, which here allowed for the bypass of stack cookies

Information leaks are by far the most important class of bugs in modern exploitation. They're really common, and they generally nullify ASLR completely. The Array.reduceRight vulnerability in Firefox is a fantastic example of this: https://bugzilla.mozilla.org/show_bug.cgi?id=664009 That bug can be used to leak info about JS objects, which gives you enough information to circumvent ASLR. The same bug also allows code execution using that info.


These graphics driver exploits seem to be fairly common.

Here's an older one for linux, which was posted some months ago: http://seclists.org/fulldisclosure/2012/Aug/4




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: