Re: Remote Root In Nvidia xserver Driver
On Wed, Oct 18, 2006 at 03:30:18AM +0100, paddy wrote:
> On Tue, Oct 17, 2006 at 09:53:49PM -0400, Noah Meyerhans wrote:
> > On Wed, Oct 18, 2006 at 02:11:24AM +0100, paddy wrote:
> > > > NB: although some are saying this is a local root exploit only, the
> > > > bulletin points out it can be exploited by visiting a malicious
> > > > webpage.
> > >
> > > I've not scrutinised the claims closely, but it looks like a remote
> > > vulnerability to me :-(
> >
> > The original(?) announcement of the vulnerability,
> > http://download2.rapid7.com/r7-0025/ , states that the problem can be
> > exploited as a DoS remotely via e.g. a specially crafted web page (an
> > example of which they've graciously provided). However, as I read it,
> > it sounds like you can only run arbitrary code if you are actually
> > accessing the X server directly via a client. While this client can be
> > local or remote, nobody is going to allow unauthenticated remote clients
> > to access their X server, so this might not be so bad... Presumably
> > this is because it's not practical or feasable to provide the actual
> > shell code you want to jump to if you're only controlling an HTML
> > document. If you're controlling the actual X client, it might be more
> > reasonable. Of course, this may allow an attacker to leverage one of
> > the many Firefox exploits to run code as root...
> >
> > Naturally, I could be wrong.
>
> I read the advisory as describing a potential remote root exploit.
sorry, that was as clear as mud :-) I meant even in the web-browser case,
they seem to be saying they think it might be worked to get root.
"It may be possible to use Flash movies, Java applets, or
embedded web fonts to supply the custom glyph data necessary for
reliable remote code execution."
Regards,
Paddy
--
Perl 6 will give you the big knob. -- Larry Wall
Reply to: