Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to analyze GeForce ExperienceOS command injection vulnerabilities. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

Overview of vulnerabilities

In this article, we will introduce this remote command execution vulnerability in NVDIA GeForce Experience (GFE)-CVE-2019-5678. GFE with version numbers prior to 3.19 is affected by this vulnerability, which can be exploited by enticing target users to visit phishing sites.

NVIDIA GFE

The official NVIDIA website describes GeForce Experience as a way to "capture and share videos, screenshots and real-time streams with friends, keep your drivers up to date and optimize your game settings", an application installed with Geforce products to provide users with more rich features.

The discovery of loopholes

MWR Labs pointed out in its security report that GFE will start a local API server at run time and allow you to control the various functions of GFE. When you modify a setting in the GUI interface of GFE, the program will call the local API. Next, we need to study the operation of the API server to see if there are any interesting features. Since the server started by GFE is NodeJS Express, we can find a large number of related JavaScript source files in "C:\ Program Files (x86)\ NVIDIA Corporation\ NvNode".

To make a valid request to the server, you need a custom HTTP header that contains a random token that is generated when the program starts and is stored in "% LOCALAPPDATA%\ NVIDIACorporation\ NvNode\ nodejs.json". The file name nodejis.json is statically named, and the storage location will not be changed, so it is very easy to locate the file. The file content is roughly as follows:

Analyze and authenticate Header

First, we need to figure out if we can bypass the authentication mechanism to send valid unauthenticated requests to API. Looking at line 185 of the index.js file, we find that the so-called header detection here is achieved only by comparing the key values contained in the file with the custom security header values. If the comparison fails, a 403 error response is returned.

For the time being, I haven't found a way to bypass it, because this authentication mechanism is relatively straightforward. What is worth noting, however, is the way CORS is used. In line 181, the "Access-Control-Allow-Origin" header is set to "*" in all requests, which means that if we can get the secret token in some way, the attacker can control the source of the request that the server can receive and send a valid request directly to the server. In addition, attackers can use XHR requests and custom secure Header to send requests.

API test

If we want to successfully send a request to API (such as executing arbitrary code), we can take full advantage of and control these API. Search for the code about "exec" in all the source files through the grep command, and we find the file NvAutoDownload.js:

As you can see, the node "/ gfeupdate/autoGFEInstall/" can receive a POST request, Content-Type will be set to "text/*", and arbitrary text content will eventually be injected into the request body, and the childProc function will execute these commands as operating system commands:

The above request can successfully transform calc.exe, which is not a problem, because the attacker only needs to know the secret token in the file. So, the next step is to find a way to read the secret token values contained in the file.

Vulnerability exploitation

As mentioned earlier, because of the way the CORS policy here is implemented, that is, allowing requests from any source, attackers can perform attacks through the browser. Of course, the premise of the attack is to know the secret token value, and the only way is to trick the user into uploading a file containing the secret token value. Because this file uses a static path and a static file name, an attacker can easily use a browser to achieve this, and command injection can be achieved with only a few keys pressed by the user.

Detailed steps of vulnerability exploitation

In Chrome browsers, you can copy anything to the clipboard directly through keyboard shortcuts, but in Firefox, additional mouse clicks are required. Finally, the way to exploit Chrome requires pressing the key combination: "CTRL+V+Enter".

The specific steps are as follows:

1. "CTRL"-copy the file path containing the secret value to the clipboard, "% LOCALAPPDATA%\ NVIDIACorporation\ NvNode\ nodejs.json", which also opens the file input window and uploads the file.

2. "V"-the value of the clipboard is copied to the file input window.

3. "Enter"-after uploading the nodejs.json file, the page will read the contents of the file.

4. The page sends a request to GFE API through a XHR request, and uses the contents read in the file to execute arbitrary commands on the target host.

The exploit process does require some user interaction, but very little action is required. Currently, NVIDIA has fixed this problem in the latest version of GFE v3.19, so we strongly recommend that users install the latest version of GFE as soon as possible. Of course, if you don't need to use GFE, it's best to uninstall it to reduce the extra attack area.

The above is the analysis of the vulnerability of GeForce ExperienceOS command injection shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.