ID CVE-2016-8812
Summary For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before GFE 3.1.0.52 contains a vulnerability in the kernel mode layer (nvstreamkms.sys) allowing a user to cause a stack buffer overflow with specially crafted executable paths, leading to a denial of service or escalation of privileges.
References
Vulnerable Configurations
  • cpe:2.3:a:nvidia:geforce_experience
    cpe:2.3:a:nvidia:geforce_experience
  • NVIDIA NVS 810
    cpe:2.3:h:nvidia:nvs_810
  • NVIDIA NVS 510
    cpe:2.3:h:nvidia:nvs_510
  • NVIDIA NVS 315
    cpe:2.3:h:nvidia:nvs_315
  • NVIDIA NVS 310
    cpe:2.3:h:nvidia:nvs_310
  • NVIDIA Titan X
    cpe:2.3:h:nvidia:titan_x
  • NVIDIA GeForce GTX 1080
    cpe:2.3:h:nvidia:geforce_gtx_1080
  • NVIDIA GeForce GTX 1070
    cpe:2.3:h:nvidia:geforce_gtx_1070
  • NVIDIA GeForce GTX 1060
    cpe:2.3:h:nvidia:geforce_gtx_1060
  • NVIDIA GeForce GTX 1050
    cpe:2.3:h:nvidia:geforce_gtx_1050
  • NVIDIA GeForce GTX 965M
    cpe:2.3:h:nvidia:geforce_gtx_965m
  • NVIDIA GeForce GTX 960M
    cpe:2.3:h:nvidia:geforce_gtx_960m
  • NVIDIA GeForce GTX 950M
    cpe:2.3:h:nvidia:geforce_gtx_950m
  • NVIDIA GeForce 945M
    cpe:2.3:h:nvidia:geforce_945m
  • NVIDIA GeForce 940MX
    cpe:2.3:h:nvidia:geforce_940mx
  • NVIDIA GeForce 940M
    cpe:2.3:h:nvidia:geforce_940m
  • NVIDIA GeForce 930MX
    cpe:2.3:h:nvidia:geforce_930mx
  • NVIDIA GeForce 930M
    cpe:2.3:h:nvidia:geforce_930m
  • NVIDIA GeForce 920MX
    cpe:2.3:h:nvidia:geforce_920mx
  • NVIDIA GeForce 920
    cpe:2.3:h:nvidia:geforce_920m
  • NVIDIA GeForce 910M
    cpe:2.3:h:nvidia:geforce_910m
  • NVIDIA GeForce GT 730
    cpe:2.3:h:nvidia:geforce_gt_730
  • NVIDIA GeForce GT 710
    cpe:2.3:h:nvidia:geforce_gt_710
  • NVIDIA Quadro M5500
    cpe:2.3:h:nvidia:quadro_m5500
  • NVIDIA Quadro M5000M
    cpe:2.3:h:nvidia:quadro_m5000m
  • NVIDIA Quadro M4000M
    cpe:2.3:h:nvidia:quadro_m4000m
  • NVIDIA Quadro M3000M
    cpe:2.3:h:nvidia:quadro_m3000m
  • NVIDIA Quadro M2000M
    cpe:2.3:h:nvidia:quadro_m2000m
  • NVIDIA Quadro M1000M
    cpe:2.3:h:nvidia:quadro_m1000m
  • NVIDIA Quadro M600M
    cpe:2.3:h:nvidia:quadro_m600m
  • NVIDIA Quadro M500M
    cpe:2.3:h:nvidia:quadro_m500m
  • NVIDIA Quadro P6000
    cpe:2.3:h:nvidia:quadro_p6000
  • NVIDIA Quadro M6000
    cpe:2.3:h:nvidia:quadro_m6000
  • NVIDIA Quadro P5000
    cpe:2.3:h:nvidia:quadro_p5000
  • NVIDIA Quadro M5000
    cpe:2.3:h:nvidia:quadro_m5000
  • NVIDIA Quadro M4000
    cpe:2.3:h:nvidia:quadro_m4000
  • NVIDIA Quadro M2000
    cpe:2.3:h:nvidia:quadro_m2000
  • NVIDIA Quadro K1200
    cpe:2.3:h:nvidia:quadro_k1200
  • NVIDIA Quadro K620
    cpe:2.3:h:nvidia:quadro_k620
  • NVIDIA Quadro K420
    cpe:2.3:h:nvidia:quadro_k420
CVSS
Base: 7.2 (as of 29-11-2016 - 14:06)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description NVIDIA Driver - NvStreamKms Stack Buffer Overflow in PsSetCreateProcessNotifyRoutineEx Callback Privilege Escalation. CVE-2016-8812. Local exploit for Window...
file exploits/windows/local/40660.txt
id EDB-ID:40660
last seen 2016-11-01
modified 2016-10-31
platform windows
port
published 2016-10-31
reporter Google Security Research
source https://www.exploit-db.com/download/40660/
title NVIDIA Driver - NvStreamKms Stack Buffer Overflow in PsSetCreateProcessNotifyRoutineEx Callback Privilege Escalation
type local
nessus via4
NASL family Windows
NASL id NVIDIA_WIN_CVE_2016_7389.NASL
description The version of the NVIDIA GPU display driver installed on the remote Windows host is 340.x, 341.x, or 342.x prior to 342.00, or 375.x prior to 375.63. It is, therefore, affected by multiple vulnerabilities : - An array-indexing error exists in nvlddmkm.sys due to improper validation of input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code with elevated privileges. (CVE-2016-7381) - A flaw exists in nvlddmkm.sys due to missing permission checks. A local attacker can exploit this to disclose arbitrary memory contents and gain elevated privileges. (CVE-2016-7382) - A flaw exists in nvlddmkm.sys when handling memory mapping that allows a local attacker to cause a denial of service condition or the execution of arbitrary code with elevated privileges. (CVE-2016-7383) - A flaw exists in nvlddmkm.sys when handling UVMLiteController device IO control input and output lengths. A local attacker can exploit this to execute arbitrary code with elevated privileges. (CVE-2016-7384) - An untrusted pointer dereference flaw exists in nvlddmkm.sys when handling DxgDdiEscape ID 0x700010d. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code with elevated privileges. (CVE-2016-7385) - A flaw exists in nvlddmkm.sys when handling DxgDdiEscape ID 0x70000d4 that allows a local attacker to disclose uninitialized memory contents. (CVE-2016-7386) - A flaw exists in nvlddmkm.sys when handling DxgDdiEscape ID 0x600000d that allows a local attacker to cause a denial of service condition or the execution of arbitrary code with elevated privileges. (CVE-2016-7387) - A NULL pointer dereference flaw exists in nvlddmkm.sys that allows a local attacker to cause a denial of service condition or the execution of arbitrary code with elevated privileges in certain unsafe configurations. (CVE-2016-7388) - An array-indexing error exists in nvlddmkm.sys when handling DxgDdiEscape ID 0x7000194 that allows a local attacker to cause a denial of service condition or the execution of arbitrary code with elevated privileges. (CVE-2016-7390) - A flaw exists in nvlddmkm.sys when handling DxgDdiEscape ID 0x100010b that allows a local attacker to cause a denial of service condition or the execution of arbitrary code with elevated privileges. (CVE-2016-7391) - A flaw exists in nvlddmkm.sys when handling DxgDdiEscape ID 0x7000014 that allows a local attacker to cause a denial of service condition or the execution of arbitrary code with elevated privileges. (CVE-2016-8805) - An untrusted pointer dereference flaw exists in nvlddmkm.sys when handling DxgDdiEscape ID 0x5000027 that allows a local attacker to cause a denial of service condition or the execution of arbitrary code with elevated privileges. (CVE-2016-8806) - A stack-based buffer overflow condition exists in nvlddmkm.sys when handling DxgDdiEscape ID 0x10000e9 that allows a local attacker to cause a denial of service condition or the execution of arbitrary code with elevated privileges. (CVE-2016-8807) - A buffer overflow condition exists in nvlddmkm.sys when handling DxgDdiEscape ID 0x70000d that allows a local attacker to cause a denial of service condition or the execution of arbitrary code with elevated privileges. (CVE-2016-8808) - A buffer overflow condition exists in nvlddmkm.sys when handling DxgDdiEscape ID 0x70001b2 that allows a local attacker to cause a denial of service condition or the execution of arbitrary code with elevated privileges. (CVE-2016-8809) - A buffer overflow condition exists in nvlddmkm.sys when handling DxgDdiEscape ID 0x100009a that allows a local attacker to cause a denial of service condition or the execution of arbitrary code with elevated privileges. (CVE-2016-8810) - A flaw exists in nvlddmkm.sys driver when handling DxgDdiEscape ID 0x7000170 that allows a local attacker to cause a denial of service condition or the execution of arbitrary code with elevated privileges. (CVE-2016-8811) - A stack-based overflow condition exists in nvstreamkms.sys when handling executable paths. A local attacker can exploit this to execute arbitrary code with elevated privileges. Note that this vulnerability only affects systems that also have GeForce Experience software installed. (CVE-2016-8812)
last seen 2019-02-21
modified 2018-07-16
plugin id 94576
published 2016-11-04
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=94576
title NVIDIA Windows GPU Display Driver 340.x / 341.x / 342.x < 342.00 / 375.x < 375.63 Multiple Vulnerabilities
refmap via4
bid 93986
confirm http://nvidia.custhelp.com/app/answers/detail/a_id/4247
exploit-db 40660
Last major update 29-11-2016 - 14:18
Published 08-11-2016 - 15:59
Last modified 02-09-2017 - 21:29
Back to Top