NVIDIA GeForce Experience Local Privilege Escalation (CVE-2020-5990)

Written By Michael Bieniak
Preview

GeForce Experience is the companion application to your GeForce GTX graphics card. It keeps your drivers up to date, automatically optimizes your game settings, and gives you the easiest way to share your greatest gaming moments with friends. It also regularly downloads new game profiles which are essentially collections of settings that control what your graphics driver does when it loads specific games. We have identified DLL Hijacking vulnerability in GeForce Experience software in late 2019 (see link for more details) and decided to revisit said software again this year. This led to the discovery of CVE-2020-5978 and CVE-2020-5990 within the same component, that is GAMESTREAM. However, in this blog post we will only go over CVE-2020-5990 because it’s more interesting from an exploitation standpoint.

​The GAMESTREAM functionality is quite convenient, it grants users the ability to access games on SHIELD devices such as TVs and tablets from GeForce GTX-powered PC. Using dynamic analysis, we've noticed a rather interesting behavior in Process Monitor when toggling GAMESTREAM feature on. The nvcontainer.exe process will write to or create file named CaptureCore.log under C:\ProgramData\NVIDIA Corporation\ShadowPlay\ directory without user impersonation (i.e. in the context of NT AUTHORITY\SYSTEM).

​Moreover, the Everyone group has full control over the problematic file and the housing directory due to inheritance from the parent folder. At this point we were excited because this makes CaptureCore.log a lucrative target for file redirection attacks.

​However, deleting CaptureCore.log and turning GAMESTREAM off and back on we quickly realized there is check in place for soft and hard links.

​Let’s confirm our assumptions by creating Symbolic Link to system file and turning GAMESTREAM off and back on to see how the nvcontainer.exe process reacts.

Just as we expected the process determines the file is Symbolic Link via GetFileAttributesA and bails out.

​Following the stack trace, we identify the soft and hard links check in nvspapi64.dll (NVIDIA ShadowPlay API) using static analysis.

​And ultimately the problematic caller function.

​Both checks are sufficient, however, once the check is complete the handle to CaptureCore.log is closed and then a new handle is obtained to perform additional actions such as fetching the final path via GetFinalPathNameByHandleA and writing to the log file. This gap introduces race condition between the time the file was checked and the time the file was created or written to (TOCTOU), allowing standard non-privileged users to create arbitrary files under the system folder as NT AUTHORITY\SYSTEM and ultimately granting the Everyone group full control on said file leading to local escalation of privileges. Into the exploitation part!

First off, we open a handle to CaptureCore.log under C:\ProgramData\NVIDIA Corporation\ShadowPlay\ and then place an OpLock on it. Once OpLock is triggered, signaling the soft/hard links check has been performed by nvcontainer.exe we create Symbolic Link to non-existing DLL under C:\Windows\System32\ folder. Lastly, we load the DLL using UsoDllLoader method discovered by Clément Labro and achieve privilege escalation.

We did send the vulnerability details to NVIDIA PSIRT team and a patch was released in version 3.20.5.70, for more information see NVIDIA security bulletin here. Feel free to reach out at labs@activecyber.us if you have any questions. Also, see the link here for complete list of ACTIVELabs advisories.
 
Affected Products

  • All versions prior to 3.20.5.70

 
Disclosure Timeline

  • 09-10-20: ACTIVELabs sent vulnerability details to NVIDIA PSIRT

  • 09-10-20: NVIDIA PSIRT acknowledge report and opened a case

  • 09-21-20: ACTIVELabs requested status update

  • 09-21-20: NVIDIA PSIRT responded the development team is still investigating the issue

  • 09-29-20: NVIDIA PSIRT confirmed the issue and plan on releasing fix by November

  • 10-01-20: NVIDIA PSIRT reported they're having difficulties reproducing the issue with exploit binary provided.

  • 10-06-20: NVIDIA PSIRT requested exploit source code

  • 10-07-20: ACTIVELabs sent exploit source code

  • 10-15-20: NVIDIA PSIRT informed ACTIVELabs that patch will be released at the end of October

  • 10-22-20: NVIDIA security bulletin published

  • 10-22-20: CVE-2020-5990 assigned

  • 10-23-20: ACTIVELabs publishes an advisory

  • 11-20-20: ACTIVELabs publishes this blog post

Michael Bieniak
Previous

Red Team Infrastructure - C2
Next

Windows AppX Deployment Service Local Privilege Escalation (CVE-2020-1488)