Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

NVIDIA Patches Command Execution Vulnerability in GeForce Experience

A recently patched vulnerability in the NVIDIA GeForce Experience (GFE) could be exploited for the execution of arbitrary commands on affected systems, Rhino Security Labs reveals.

A recently patched vulnerability in the NVIDIA GeForce Experience (GFE) could be exploited for the execution of arbitrary commands on affected systems, Rhino Security Labs reveals.

The NVIDIA GFE is a companion application installed alongside GeForce drivers, which allows users to capture and share videos, screenshots, and live streams, while also providing the means to keep drivers updated and game settings optimized. 

Tracked as CVE-2019-5678 and residing in a local “Web Helper” server that GFE launches on startup, the vulnerability could be exploited by tricking a victim into visiting a crafted web site and making a few key presses, David Yesland, security researcher with Rhino Security Labs, says.

“NVIDIA GeForce Experience contains a vulnerability in the Web Helper component, in which an attacker with local system access can craft input that may not be properly validated. Such an attack may lead to code execution, denial of service or information disclosure,” NVIDIA notes in an advisory.

At startup, GFE launches a local API server to control different aspects of the application, and all changes users made from the GUI interface likely make calls to the local API. The server, however, only accepts authenticated requests and Yesland says he could not find a bypass. 

He did find, however, that it was possible to make valid requests to the server even from a different Origin like an attacker controlled web site, provided that one was able to obtain the secret token. The attack, however, would be performed via a browser, as the implemented CORS policy allows for the request to come from any Origin. 

“This attack still required having knowledge of the secret token. The only way around this is if a user could be tricked into uploading the file containing the token. But since the secret token file has a static path and name this could be achieved fairly easily in the browser, which would only require the user to press a couple keys to achieve command injection,” Yesland explains. 

In Chrome, the researcher explains, the exploit requires pressing three keys, CTRL+V+Enter, which allows the copying of arbitrary text to the clipboard. In Firefox, however, “this step would require a mouse click of some kind,” he notes. 

Advertisement. Scroll to continue reading.

The attack does require some user interaction, but it is minimal enough to trivially trick a user into performing the actions.

“The real issue here seems to be that the API allows Cross Origin Resource Sharing from any Origin, which means it is possible to perform an XHR request to any of the endpoints through the browser if the secret token were obtained through any method,” the security researcher says. 

NVIDIA addressed this vulnerability in the latest release of GFE by removing the endpoint which allows the command injection. The open CORS policy, however, hasn’t been changed and the nodejs.json file remains at a static location, meaning that it is still possible to interact with the API through the browser. 

Another security flaw that NVIDIA patched in GFE resides in the application incorrectly loading Windows system DLLs without validating the path or signature, which could be exploited by an attacker with local system access to escalate privileges through code execution. 

Related: NVIDIA Patches High Severity Bugs in GPU Display Driver

Related: NVIDIA Patches Serious Flaw in GeForce Experience Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.