Author Topic: NVIDIA GeForce Experience OS Command Injection CVE-2019-5678  (Read 1002 times)

0 Members and 1 Guest are viewing this topic.

JeGX

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2212
    • Geeks3D.com
Quote
This post is a walkthrough of the vulnerability that we discovered that allows execution of arbitrary commands on a system with the NVIDIA GeForce Experience (GFE) prior to version 3.19 installed – CVE-2019-5678. The exploit can be achieved by convincing a victim to visit a crafted web site and make a few key presses. This is possible due to command injection which was discovered in a local “Web Helper” server which GFE launches on startup.

...

MWR Labs stated in this blog post that GFE starts a local API server which allows control over different aspects of GFE. When you change a setting in the GFE GUI interface, it is likely just making a call to this local API. Knowing this, I thought it may be worthwhile to look into the API to see if there was any interesting functionality. The server that is started by GFE is NodeJS Express and many of the JavaScript source files can be found in “C:\Program Files (x86)\NVIDIA Corporation\NvNode”.

...

Links:
- https://rhinosecuritylabs.com/application-security/nvidia-rce-cve-2019-5678/
- https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2019-5678